Achieving Data Privacy in the Cloud

Achieving Data Privacy

in the Cloud

Study of InformatIon technology PrIvacy and comPlIance

of Small to medIum-SIzed organIzatIonS In germany

SPonSoreD by miCroSoft

Achieving Data Privacy

in the Cloud: Germany

Contents

executive Summary 2

Key findings 3

Perceptions about privacy, data protection, and the use of cloud resources 3 Cloud computing is considered an important part of IT operations 3 Organizational commitment to privacy and data protection in the cloud 3 Impact of sufficiency of privacy practices on selection of cloud providers 4 The state of cloud computing in organizations 5

Cloud computing is now an integral part of IT 5 Although cloud computing is increasing rapidly, it does not

seem to affect organizational privacy commitments 6 Organizations rely on cloud provider contracts

and self-assessments in the vetting process 7 Certain assurances from cloud vendors influence

organizational decisions to purchase services 8 Understand the types of confidential information

that are too risky to be used or stored in the cloud 9 Country differences in cloud privacy 10 Confidence about data privacy in the cloud 10 The impact of cloud service privacy practices on purchase decisions 11

executive

Summary

The goal of the study was to better understand what business decision-makers in small and medium-sized organizations think about privacy as they adopt cloud computing. Specifically, we wanted to determine their concerns about cloud computing related to privacy and how cloud providers can ameliorate them. More than half (56 percent) of respondents say their organizations are moderate or heavy users of cloud computing resources and they

expect their use of cloud resources to increase over the next two years, even though they are concerned about how they will manage data privacy in the cloud.

The research also found that the privacy reputation and practices of cloud computing providers figure prominently into cloud computing purchasing decisions. Seventy-six percent of respondents stated that privacy influenced their choice of providers.

Cloud provider privacy practices cited as particularly important are:

≈

Disclosure of physical location of data (61 percent of respondents)

≈

Strict processes to separate customer data (58 percent)

≈

Agreement not to mine customer data for advertising (50 percent)

≈

Provides European Union model clauses as contractual agreements (43 percent)

With organizations increasingly moving to the cloud, it is becoming more important to ensure that privacy commitments and obligations are met. Fifty-six percent of respondents say they are confident that their organization is capable of achieving privacy when deploying cloud applications or services.

The Ponemon Institute surveyed 1,771 individuals in positions within IT, compliance, data security, risk management, and privacy in the United States, Germany, and the Nordic countries (Denmark, Finland, Norway, and Sweden), and created three separate reports.

This report focuses on Germany, where Ponemon surveyed 668 individuals who had, on average, approximately 10 years of business experience. More than half (52 percent) report to the Chief Information Officer, followed by 17 percent who report to the Compliance Officer and 16 percent who report to the Chief Information Security Officer.

In the following sections, we present an analysis of the most salient findings of this research, as well as recommendations to help organizations improve privacy in the cloud. The complete findings of this research are presented in the appendix to this report.

toPIcS addreSSed In thIS Study

>

PeRCePtIons about PRIvaCy, data PRoteCtIon, and the

use of CLoud ResouRCes

>

the state of CLoud ComPutIng In smaLL and

medIum-sIzed oRganIzatIons

>

CountRy dIffeRenCes In attItudes about CLoud

ComPutIng and PRIvaCy

Key findings

Perceptions about privacy, data protection, and the use of cloud resources

Cloud computing is considered an important part of it operations Fifty-six percent of organizations in this study make either heavy or moderate use of cloud computing. Only 17 percent say their use is light. The majority (52 percent) use public cloud services, though there is also some use of private cloud services (39 percent). Reliance on cloud computing is also expected to increase, as 84 percent of respondents expect cloud computing to be either important, very important, or essential to their organizations in two years, up from 66 percent who view cloud computing that way today.

organizational commitment to privacy and data protection in the cloud

Seventy-three percent of respondents say their organizations are committed to protecting confidential or sensitive information. Thus, the majority of respondents say their organizations are taking the following positive actions, as shown in figure 1.

fIgure 1

aCtIons that aRe PRaCtICed to PRoteCt data and PRIvaCy In the CLoud

extRemeLy CaRefuL about shaRIng ConfIdentIaL oR sensItIve PeRsonaL InfoRmatIon wIth thIRd PaRtIes, InCLudIng CLoud PRovIdeRs

assess the ImPaCt that the use of CLoud ComPutIng has on theIR PRIvaCy CommItments and obLIgatIons estabLIsh CLeaRLy defIned aCCountabILIty foR safeguaRdIng ConfIdentIaL oR sensItIve PeRsonaL InfoRmatIon

ResPeCt the PRIvaCy RIghts of CustomeRs, emPLoyees, ConsumeRs, and otheR stakehoLdeRs

deteRmIne what PeRsonaL data Is too sensItIve foR the CLoud envIRonment

PRoaCtIve ComPLIanCe management wIth PRIvaCy and data PRoteCtIon Laws, ReguLatIons, and otheR RequIRements

73%

65%

58%

69%

58%

62%

Based on steps taken to advance privacy practices in their organizations, 56 percent of respondents are

confident that their organizations are capable of meeting their privacy commitments when deploying cloud applications or services.

Impact of sufficiency of privacy practices on selection of cloud providers

As shown in figure 2, 76 percent of respondents say their organizations do consider the level of commitment a cloud provider has for achieving privacy in the cloud when they are making purchasing decisions, including 45 percent who say privacy policies had a significant or very significant impact. some to sIgnIfICant ImPaCt veRy sIgnIfICant ImPaCt unsuRe no ImPaCt

3%

58%

fIgure 2

ImPaCt of CLoud PRovIdeR’s PRIvaCy PoLICIes and PRaCtICes on seLeCtIon of CLoud PRovIdeRs

fIgure 3

ImPoRtant Issues that deteRmIne the CLoud PRovIdeRs’ CommItment to PRIvaCy

”VERY IMPORTANT” AND “IMPORTANT” RESPONSES COMBINED

21%

18%

figure 3 shows the privacy features and policies of cloud providers regarded as very important or important when evaluating a cloud provider’s commitment to privacy. Specifically, 61 percent of respondents believe disclosure of physical location of data is critical, 58 percent want strict processes to separate customer data from other customers, 50 percent of respondents want cloud providers not to mine customer data for advertising purposes, and 43 percent say providing European Union’s model clauses as contractual agreements is important.

the CLoud PRovIdeR dIsCLoses the PhysICaL LoCatIon of data stoRage

the CLoud PRovIdeR agRees not to mIne CustomeR data the CLoud PRovIdeR has PRoCesses In PLaCe to ensuRe that CustomeR data Is sePaRate fRom that of otheR CustomeRs

the CLoud PRovIdeR PRovIdes euRoPean unIon’s modeL CLauses as ContRaCtuaL agReements

50%

43%

58%

61%

Key findings

fIgure 4

ImPoRtanCe of CLoud ComPutIng In meetIng InfoRmatIon teChnoLogy and data PRoCessIng obJeCtIves

5%

38%

23%

30%

4%

7%

43%

34%

13%

3%

TODAY 24 MONThS fROM NOw

essentIaL veRy ImPoRtant ImPoRtant not ImPoRtant IRReLevant

Cloud computing is now an integral part of it

figure 4 reveals that 66 percent of respondents say that cloud computing applications or services are essential or important to meeting their organization’s IT and data processing objectives today. This percentage is expected to increase to 84 percent 24 months from now.

As shown in figure 5, the top three cloud computing applications used in German small-to-medium businesses (SMBs) today are infrastructure applications such as online backup, security, and archiving; business applications like CRM and webmail; and peer-to-peer applications such as instant messaging.

InfRastRuCtuRe aPPLICatIons

soLutIon staCks seRvICes stoRage otheR

busIness aPPLICatIons PeeR-to-PeeR soCIaL medIa aPPLICatIons

we don’t use CLoud aPPLICatIons oR seRvICes

74%

28%

56%

17%

46%

9%

38%

36%

3%

Key findings

the state of cloud computing in organizations

fIgure 5

CLoud ComPutIng aPPLICatIons CuRRentLy In use

The anticipated growth in cloud computing is shown in figure 6. Based on an extrapolated average, cloud computing resources meet 23 percent of organizations’ total IT and data processing requirements, and this is expected to increase to 37 percent over the next 24 months.

fIgure 6

PeRCentage of InfoRmatIon teChnoLogy RequIRements met by CLoud ComPutIng

TODAY 24 MONThS fROM NOw

none <10% 11% – 20% 21% – 30% 31% – 40% 41% – 50% 51% – 60% 61% – 70% 71% – 80% >80%

9%

21%

11%

_6%

2%

14%

5%

32%

0%

1%

6%

23%

9%

11%

1%

7%

19%

12%

_7%

5%

Although use of cloud computing is increasing rapidly, it does not seem to affect organizational privacy commitments

Only 35 percent of respondents say the use of cloud resources increases their organization’s responsibility to safeguard customer, employee, consumer, and other stakeholders’ personal information. figure 7

also shows that 47 percent of respondents say it does not impact their organization’s responsibility. It seems, therefore, that organizations are relying on the cloud provider to ensure the security of their sensitive data when deployed to the cloud.

CLoud ComPutIng does not affeCt ouR ResPonsIbILIty CLoud ResouRCes InCRease ouR ResPonsIbILIty CLoud ResouRCes deCRease ouR ResPonsIbILIty

18%

35%

fIgure 7

ImPaCt of CLoud ComPutIng on oRganIzatIonaL ResPonsIbILIty to safeguaRd InfoRmatIon

47%

Key findings

organizations rely on cloud provider contracts, third-party audit reports, and self-assessments in the vetting process

Fifty-one percent of respondents say their organizations evaluate cloud applications for privacy and data protection considerations before engagement or deployment by their end users. As shown in figure 8, the top three steps organizations take to vet cloud providers are contractual negotiation and legal review (64 percent), proof of compliance such as an audit report (52 percent), and self-assessment checklist or questionnaire completed by the provider (39 percent).

Further, 38 percent say they look at adherence to a certification standard and they consider SAS-70 (which is currently being replaced by the SSAE 16 standard) and PCI DSS as the certifications most important for evaluating cloud providers (51 percent and 48 percent, respectively). Forty-three percent say the ISO 27001 certification is most important (figure 9).

As shown in figure 10, to secure sensitive and confidential data, the majority of respondents say they rely on assurances from the cloud provider (70 percent) or reliance on contractual agreements with the cloud provider (59 percent). Only 40 percent say they use conventional data security tools such as encryption to protect information in the cloud.

we ReLy on assuRanCes fRom the CLoud PRovIdeR

we use ConventIonaL data seCuRIty tooLs to PRoteCt InfoRmatIon

don’t know

we ReLy on ContRaCtuaL agReements wIth the CLoud PRovIdeR

we buy addItIonaL seCuRIty seRvICes PRovIded by the CLoud PRovIdeR

ContRaCtuaL negotIatIon

and LegaL RevIew ComPLIanCePRoof of seLf-assessment CheCkLIst ComPLeted by PRovIdeR

70%

40%

9%

59%

10%

64%

52%

39%

sas-70 PCI dss Iso 27001

51%

48%

43%

Key findings

the state of cloud computing in organizations

fIgure 8

methods foR vettIng oR evaLuatIng CLoud PRovIdeRs

MORE ThAN ONE ChOICE PERMITTED

fIgure 10

methods foR seCuRIng ConfIdentIaL oR sensItIve PeRsonaL InfoRmatIon In the CLoud

MORE ThAN ONE ChOICE PERMITTED

fIgure 9

most ImPoRtant CeRtIfICatIons used when evaLuatIng CLoud PRovIdeRs

Certain assurances from the cloud vendor influence organizational decisions to purchase services

As discussed previously, 76 percent of respondents say that the privacy policies and practices of their cloud providers would impact their cloud purchasing decisions, so there are certain assurances that could make a difference.

figure 11 shows that 79 percent of respondents would be much less likely or less likely to purchase cloud services if the cloud vendor reported a material data breach involving the loss or theft of sensitive or confidential

personal information.

fIgure 11

the ImPaCt of a mateRIaL data bReaCh on the deCIsIon to use a CLoud PRovIdeR

Less LIkeLy to buy CLoud seRvICes

no effeCt on the deCIsIon to buy CLoud seRvICes unsuRe

muCh Less LIkeLy to buy CLoud seRvICes

34%

4%

17%

45%

Key findings

Sixty percent of respondents say assurances from a bona fide and credible third party that the cloud vendor meets all privacy and data protection requirements, including regulations and laws in various countries, would make them much more or more likely to purchase cloud services (figure 12).

Forty-two percent say their decision to buy would improve if a third party provided assurance that the cloud provider meets privacy and protection requirements.

ThE CLOUD PROVIDER AGREES TO MEET ALL PRIVACY AND DATA PROTECTION REqUIREMENTS ThIRD PARTY PROVIDES ASSURANCE ThAT ThE CLOUD PROVIDER MEETS PRIVACY AND PROTECTION REqUIREMENTS

muCh moRe LIkeLy to

buy CLoud seRvICes no effeCt on the deCIsIon to buy CLoud seRvICes moRe LIkeLy to buy

CLoud seRvICes unsuRe

fIgure 12

CondItIons that affeCt the deCIsIon to use a CLoud PRovIdeR

17%15%

43%

35%

5%

27%

55%

3%

The following findings discuss what practices would help organizations achieve privacy in the cloud and what organizations are doing.

Understand the types of confidential information that are too risky to be used or stored in the cloud

As shown in figure 13, the types of data that German SMBs are most concerned about putting in the cloud are health records (67 percent); intellectual property such as source code, design plans, and architectural renderings (63 percent); and employee records (56 percent).

fIgure 13

InfoRmatIon too RIsky to be used In the CLoud

MORE ThAN ONE ChOICE PERMITTED

InteLLeCtuaL PRoPeRty

ReseaRCh data heaLth ReCoRds

CustomeR Payments fInanCIaL busIness _InfoRmatIon emPLoyee ReCoRds

67%

51%

63%

39%

56%

37%

Key findings

Key findings

Country differences in cloud privacy

In this study, Ponemon Institute surveyed 1,771 individuals in IT, compliance, data security, risk management and privacy in the United States, Germany and the Nordic countries (Denmark, Finland, Norway, and Sweden). In this section, we present some of the most salient differences that emerged in this research.

Confidence about data privacy in the cloud.

How does confidence in meeting privacy commitments when deploying cloud applications or services differ among countries in this study? As figure 14 shows, German respondents are far more confident that their organizations can fulfill their privacy obligations when deploying cloud services than respondents in the United States.

fIgure 14

ConfIdenCe that PRIvaCy obLIgatIons aRe met when dePLoyIng CLoud aPPLICatIons

“veRy ConfIdent” and “ConfIdent” ResPonses CombIned

u.s. geRmany noRdIC CountRIes

Key findings

the state of cloud computing in organizations

the impact of cloud service privacy practices on purchase decisions Impressions about a cloud service provider’s commitment to privacy has the most impact among respondents in Germany and the Nordic countries, according to figure 15.

As shown in figure 16, SMBs in the U.S. and Germany want cloud providers to disclose the physical location of data storage, including the location of replicated or backed-up data files. In the Nordic countries, it is most important that the cloud provider has strict processes and procedures in place to ensure that customer data is separate from other customers.

fIgure 15

ImPaCt of CLoud PRovIdeR’s PRIvaCy PoLICIes and PRaCtICes on seLeCtIon of CLoud PRovIdeR

veRy sIgnIfICant ImPaCt

unsuRe

12%

18%

29%

38%

3%

18%

27%

31%

21%

3%

21%

28%

31%

14%

u.s. geRmany noRdICs

sIgnIfICant ImPaCt

some ImPaCt

no ImPaCt

the CLoud PRovIdeR has PRoCesses In PLaCe to ensuRe that CustomeR data Is sePaRate fRom that of otheR CustomeRs

the CLoud PRovIdeR uses euRoPean unIon’s modeL CLauses as ContRaCtuaL agReements

the CLoud PRovIdeR dIsCLoses the PhysICaL LoCatIon of data stoRage

the CLoud PRovIdeR agRees not to mIne CustomeR data u.s. geRmany noRdIC CountRIes

62%

54%

44%

24%

61%

58%

50%

43%

53%

56%

49%

35%

fIgure 16

ImPoRtant Issues that deteRmIne the CLoud PRovIdeR’s CommItment to PRIvaCy

Conclusion

Achieving privacy in the cloud is a challenge for all organizations. We recommend that organizations assess the specific, proactive steps they can take to protect sensitive information in the cloud, such as:

≈

Create policies and procedures that clearly state the importance of protecting sensitive information stored in the cloud. The policy should outline what kinds of information are considered sensitive and proprietary.

≈

Evaluate the security posture of third parties before sharing confidential or sensitive information. As part of the process, corporate IT or IT security experts should conduct a thorough review and audit of the vendor’s security qualifications.

≈

Train employees to mitigate the security risks specific to cloud technology to make sure that sensitive and confidential information is not threatened.

≈

Establish an organizational structure that allows the CIO, CISO, or other security and privacy leaders to participate actively in the vetting, purchasing, and implementing processes to ensure that they are handled appropriately.

≈

If appropriate, establish a functional role dedicated to information-governance oversight to better protect the business.

≈

Define a policy that governs the protection of sensitive and confidential data and applications that organizations put in the cloud.

Ponemon Institute also recommends that cloud computing providers offer greater transparency into their security infrastructure to help ensure customer confidence that information stored in the cloud is secure.

method

Table 1 reports the sample frame of 21,005 individuals in Germany who have bona fide credentials in the IT, compliance, data security, risk management, and privacy fields. In total, 699 respondents completed the survey. Of the returned instruments, 31 surveys failed reliability checks. A total of 668 surveys were used as the final sample, which represents a 3.2 percent response rate.

Pie Chart 1 summarizes the approximate position levels of respondents in our study. The majority (61 percent) of respondents are at or above the supervisory level. The average experience in IT or IT security is 9.6 years.

Pie Chart 3 shows that more than half of the respondents (58 percent) report to the Chief Information Officer or Chief Information Security Officer.

Pie Chart 2 reports the respondents’ primary industry segments. Fifteen percent of respondents are in the financial services, which includes banking, investment management, insurance, brokerage, payments, and credit cards. Another 14 percent are in public sector organizations, including central and local government, and 10 percent are in retail.

GermAn SAmPLe reSPonSe reSPonDentS PerCentAGe

SAMPLING FRAME 21,005 100.0% INVITATIONS SENT 20,092 95.7% TOTAL RETURNS 699 3.3% TOTAL REJECTS 31 0.1% FINAL SAMPLE 668 3.2%

table 1

senIoR exeCutIve vICe PResIdent dIReCtoR ConsumeR PRoduCts eduCatIon and ReseaRCh hosPItaLIty and LeIsuRe CommunICatIons defense tRansPoRtatIon otheR staff oR teChnICIan suPeRvIsoR manageR IndustRIaL seRvICes heaLth and PhaRmaCeutICaL teChnoLogy and softwaRe RetaIL PubLIC seCtoR fInanCIaL seRvICes

3%

5%

39%

6%

3%

10%

14%

5%

19%

9%

6%

15%

4%

5%

21%

7%

3%

14%

4%

9%

PIe chart 1

dIstRIbutIon of ResPondents aCCoRdIng to PosItIon LeveL

PIe chart 2

dIstRIbutIon of ResPondents aCCoRdIng to PRImaRy IndustRy CLassIfICatIon

Survey Limitations

There are inherent limitations to survey research that must be carefully considered before drawing inferences from findings. The following items are specific

limitations that are germane to most web-based surveys.

Non-response bias. The findings are based on a sample of survey returns. The researchers sent surveys to a representative sample of individuals, resulting in the return of a large number of usable responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different from those who completed the survey in terms of underlying beliefs.

Sampling-frame bias. Research accuracy is based on contact information and the degree to which the list is representative of individuals who are knowledgeable about protecting data in the cloud environment. The researchers recognize that the results may be biased by external events such as media coverage. They also acknowledge that there may be bias because subjects were compensated for completing the surveys.

Self-reported results. The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not respond truthfully.