Introduction
Advances in IT have revolutionized the way business is conducted in many organizations. Producers and consumers can now access a variety of goods and services from anywhere in the world without the constraints of geographical locations or time zones( Leavilt, 2009).
One Of the major legal issues stemming from application of Information and technology in business organizations is the concept of cloud computing. Cloud computing refers to the practice of storing data on information systems that are controlled by third parties using remote servers. The data can then be readily accessed using the internet.
Before the advent of cloud computing, clients had to connect to multiple servers in their business organisation and they could only connect on each server separately. Cloud computing solved this problem by allowing all servers and applications within a network to be integrated and to function as a single-entity. It thus led to speed and more efficiency in the management of resources.
Clod computing is offered through three major platforms: Iaas (Infrastructure as a service); SaaS (Software as a Service); and PaaS (Platform as a Service) (Ruiter, 2009). IaaS is the simplest and easiest since it allows connection of hardware through web interfaces. Paas provides a platform for users to develop and implement their own software and share it though web interfaces.
Saas provides applications installed on a remote computer, which users can easily access. Business organizations can develop their own computer cloud services or hire CSPs (Cloud Service Providers) to do so. Cloud computing can thus be classified into four broad categories: Public clouds, hybrid clouds, Private internal clouds, and private external clouds.
The security and privacy concerns experienced by clients of a business organization depend on the type of cloud computing technology being used. In public clouds, services are obtained through a CSP located outside e organization. The CSP hosts the hardware of different organizations.
Therefore, an organization exerts very little control over the privacy of data. Private external clouds still rely on a CSP but the CSP hosts only the organization’s hardware therefore the security is a bit enhanced. For private internal clouds, the organization does not rely on a CSP and it manages information through a private data centre. In hybrid clouds, the different cloud types are combined (Bull, 2001, p. 240).
The use of cloud computing in business organizations have raised Legal issues pertaining to confidentiality, privacy, and security of personal data. This is particularly in relation to private financial information and financial transactions.
If hackers or other malicious third parties are able to access such crucial information, it would have devastating effects for the clients, customers, staff and indeed the entire business organization. This paper seeks to explore the problems associated with cloud computing, consequences, and possible solutions to the problem.
Case Study
In April 2011, Amazon’s cloud infrastructure experienced two attacks. Hackers used the Amazon cloud to attack the Sony’s corporation online entertainment system. Major media corporations reported the case. The hackers used a fake account for the attack and then rented a server on Amazon’s cloud service.
They were able to access and compromise crucial information relating to over 100 million customers. The attack was described by IT experts as being very sosiphicated and very professionally executed (Martin, 2000, p.42).
The hackers did not even have to go to extreme measures of breaking into Amazon’s remote servers. They registered like any legitimate organization seeking to hire Amazon’s service as a Cloud Service Provider (CSP).
They only used fake details meaning that the capability of many CSPs to authenticate information is very weak since they cannot detect fake details from valid ones. Amazon hires out cloud space to other cloud service providers so that they can provide the services without having to purchase their own servers.
The attack resulted in a drop of both Amazon’s and Sony’s shares in the stock exchange market. The hackers were also able to access credit card records, debit records and general personal information of over 100 million Sony customers. Sony’s Play station and Qriocity networks crashed and stalled as a result of the attack.
The response taken involved, giving the FBI a history of transactions on the cloud so that they could try to identify the hacker. This would be done through validating the internet address, the payment information and the specific credit card, which had been used.
The Sony Corporation was subpoenaed by New York’s Attorney General to give further explanation. The FBI also subpoenaed Amazon. Sony also offered customers free annual protection form identity theft.
Users were advised to install and update their anti-virus and anti-spyware software and to continuously update the web browsers they are using. The users were warned against clicking on links on their emails and sharing passwords on cyber space. Amazon also promised to upgrade the cloud data security capacity, and refreshed the entire VPN infrastructure.
Discussion
The right to privacy has been declared a fundamental human right (Gellman, 2009). Most national legislations and international human right instruments have enshrined the right to privacy in their national legislative policies.
The economic theory states that business policies are shaped by the preferences of the consumers. Consumers determine the market share that a company enjoys and the larger the market share, the higher the company’s profits. As illustrated by our illustration, the attack on Sony’s online entertainment system led to a reduction in the value of its shares in the stock exchange.
Business organizations should be aware of the security issues that come with cloud computing services. There is need to ensure privacy, confidentiality and availability of the data (Regan, 2004, p.481).There must be a high degree of transparency on isolation and protection of consumer data.
Heavy reliance on web browsers by CPSs means that the security failure of the browser will lead to breach o the security of the data stored by the cloud service provider. Before opting for cloud computing, a business organisation must put into consideration the viability of its application to handle cloud data, the cost of the life cycle and the transition (Weinhardt, et al., 2004).
Data stored in a cloud must be secured from third parties and the external world. There is no guaranteed security of cloud data and third parties are easily able o break into the system as illustrated by our case study. Since CSPs are found all over hence, the globe customers cannot be able to determine the exact location of their data (Gellman, 2009).
Where data is distributed in many centres, it becomes difficult to investigate the transactions in the cloud and identify possible culprits. For instance, Amazon was not able to identify the persons who hacked into Sony’s online entertainment system.
Privacy risks emanate from the lack of laws preventing clients from disclosing certain private information to CSPs. Information that users may not like to disclose to a cloud easily finds itself in cloud space with detrimental consequences.
Users sometimes ignore reading through the terms of service and privacy of the cloud provider (Bull, 2001, p.242). The situation is further complicated by the fact that there are no laws governing trans-border transmission of private data (Ruiter, 2009).
The CSPs such as Google Docs and Amazon do not give clear information on how they intend to use the information provided by the user. The providers al draft policies terms of use without consulting the consumers. The Cloud service Providers may also unilaterally block a user from accessing his or her data with no alternative means to recover it.
Currently CSPs use SSl (Secure Socket Layer) technology, authentication protocols and digital signatures, all of which have proved ineffective in safeguarding consumer data since they have been attacked by hackers.
The physical location of a CSP has been identified as an important aspect in enforcing privacy regulations (Leavilt, 2009, p.17).This is to determine the country or state which has jurisdiction in case of breach of the security of private data.
Outsourcing individual data to a CSP poses the greatest threat to a person’s privacy. The CSP e.g. Amazon physically hosts and controls the data while the client e.g. Sony is accountable for failure to comply with privacy regulations. The security solutions relied upon by CSPs include encryption of data, firewalls, management of access and detection of intrusion.
The data security depend on the type of cloud that is being used. The data may also be disclosed to third parties such as government agencies and marketers without the owner’s consent.CSPs themselves are not aware of the privacy laws that they are supposed to comply with.
Several solutions have been suggested as means of dealing with the privacy and security issues posed by cloud computing. Subscribers should be entitled to terminate the services of a CSP and to recover all the data that they had entrusted with the CSP (Nicolett and Heiser, 2008).
Subscribers should be compensated for any losses or injuries that they may suffer if their data is exposed to third parties. Subscribers must ensure that the CSP is compliant with privacy regulations, is subjected to external audits and staff are continuously vetted (Baase, 2007).The CSP should also be licensed and certified to operate.Subscibers must also have the authority to remove an application online.
Subscribers must also ensure that clouds are compatible with data access protocols. Data should also be segregated so that sensitive data is accorded higher protection than non-sensitive data.
Cloud providers should not modify data without client approval.They should also delete and dispose data upon a costumer request.It should also be possible to recover the data through provision of archiving capability and data back-up.
Subscribers must minimize risk of attack of their data by ensuring that they have installed updated anti-virus, anti-spyware and web browsers. This would reduce attacks that are directed towards infecting personal computers with malicious software (Cubrilovic, 2009).
They should ensure that high quality encryption is used during internet sessions where confidential applications or data transfers are required. The physical location of the plant of a CSP must be secure since in extreme cases cyber attackers may physically target the back-up storage.
Providers that are not limited one location are preferable in case unforeseen consequences such as natural disasters occur.
Cloud Service providers should use strict authorization codes that are able to differentiate valid subscriber accounts from fake ones (Ruiter, 2009). Subscribers should be able to validate the access mechanisms supported by the provider’s infrastructure and the tools used to authenticate other subscribers. They should also be able to track their data once a cloud service provider receives it.
For cloud service providers offer cloud services in the form of VMs (Virtual Machines), subscribers should ensure that the CSP prevents attacks through VLAN, virtual IPS, and Virtual firewalls. Users should also choose clouds that are compatible with standardized tools and languages.
Conclusion
From the case study and the consequent discussion, it is clear that cloud-computing poses inherent security and privacy risks to client and organisation data. It is also clear that there is no effective legislation or guidelines that have been put in place to deal with the problem.
Cloud Service Providers need to analyze the risks involved with the service before they provide it to users. Business organizations should also consider adapting a private internal clod computing policy since security and privacy concerns are minimized.
Cloud service users should take time to read the terms and conditions of the cloud service provider. They should also perform a risk analysis themselves on the likely consequences of entrusting their data with the CSP (Reagan, 2004, p.490).
The Cloud service providers and the subscribers must share responsibilities in implementing the relevant data security measures and controls.
A business organization must define security measures to address cloud security concerns, increase security measures during procuring of the services, keenly scrutinize cloud service providers, and make sure security protocols are deployed throughout the process. This will greatly help in mitigating security threats and ensuring data privacy.
Reference List
Baase, S 2007, A gift of fire: Social, legal, and ethical issues for computing and The Internet, Prentice Hall, London.
Bull, G 2001, “Data Protection-Safe Harbor, Transferring Personal Data To The USA”, Computer Law & Security Report, vol.17 no.4, pp. 239–243.
Cubrilovic, N 2009, “Letting Data die a natural death”, International Journal of electronic Government Research, vol.22 no.3, pp. 56-67.
Gellman, R 2009, Cloud Computing and Privacy: Presented at the World Privacy Forum. Web.
Leavitt, N 2009, “Is Cloud Computing Really Ready for Prime Time?” Computer, vol.42 no.1, pp.15–20.
Nicolett, M. and Heiser, J 2008, Accessing the security risks of cloud Computing, Stamford, Gartner Inc.
Martin, A 2000, “Security protocols and their properties”, Foundations of Secure Computation: NATO Science Series, vol. 11 no.4 pp. 39–60.
Reagan, P 2004, “Old issues, new context: Privacy, information collection, and homeland security”, Government Information Quarterly, vol.21 no.4 pp.481–497.
Ruiter, J 2009, The Relationship between Privacy and Information Security in Cloud Computing Technologies, University of Amsterdam, Amsterdam.
Weinhardt, C et al. 2009, “Business Models in the Service World”, IT Professional, vol.11 no.2, pp.28–33.