This article has been written by Sumedha Baishya, pursuing the Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. This article has been edited by Zigishu Singh (Associate, Lawsikho), and Smriti Katiyar(Associate, Lawsikho).
The use of cloud services is rising over the years and it has already crossed the $370 billion valuations in 2020, the COVID-19 situation has increased the need for cloud capabilities in corporate and organisational structure as companies are thriving to create a new remote work environment. With the evolution of cloud space and cloud computing a new challenge has emerged; Cloud security and privacy of data! Data security and privacy protection are becoming important for the future development of cloud computing technology in government, industries, and business. When we talk about Cloud security, it is more complicated than data security in traditional information systems, as the data is scattered in different machines all over the world which makes it difficult to identify the breach. This topic is a small endeavour to indulge ourselves in the concept of cloud security and how it has been evolving throughout time affecting the privacy of the data that are being stored.
What is cloud security?
Cloud security in its literal sense means cyber security that is dedicated to protecting cloud computing and its drawbacks. Thus, cloud security is a system that protects cloud computing, cloud environment, applications running in the cloud, and the data that is stored in the cloud.
Cloud security mainly consists of the following components:
· Data security,
· Legal compliance,
· Identity and access management (IAM),
· Governance (policies on threat prevention, detection, and mitigation),
· Data retention (DR) and business continuity (BC) planning.
Data security and privacy in cloud computing have been further divided into the following categories:
· Data integrity,
· Data confidentiality,
· Data availability,
· Data privacy.
In cloud computing data integrity means preserving information integrity by not allowing any unauthorised deletion, modification, and fabrication of the data. Considering the huge domain and large entities storing their data into cloud environments it is essential that only authorised people can access the data.
As many people are now availing the feature of storing their data into cloud systems their private and confidential data must be safe. Unfortunately, breach of data confidentiality is becoming a serious problem that this industry is facing.
Data availability means, the extent to which the user’s data can be used or recovered when the cloud system is faced by any accidents such as hard disk damage, fire, and network failures occur, and how the users verify their data by techniques rather than depending on the guarantee by the cloud service provider alone.
In a cloud, privacy is a very important aspect that needs to be addressed as people and organizations use cloud services for storing their data and repeated attacks on data by ransomware have made it pivotal.
What are the different types of cloud services?
- Software-as-a-service (SaaS) provides clients access to applications that are purely hosted and run on the provider’s servers. Providers manage the applications, data, runtime, middleware, and operating system. Clients are only tasked with getting their applications. SaaS examples include Google Drive, Slack, Salesforce, Microsoft 365, Cisco WebEx.
- Platform-as-a-Service (PaaS) is also known as cloud application infrastructure services and includes hardware and software tools. Its use has been steadily rising as organizations are investing in modernising their ‘old school’ applications with cloud-native capabilities. The PaaS market is expected to grow 26.6 per cent in 2021, Gartner forecasts, stating that the growth is driven by remote workers needing access to ‘to high performing, content-rich and scalable infrastructure to perform their duties.’
- Infrastructure-as-a-Service (IaaS)has been around since the beginning of cloud services. It is also known as pay-as-you-go services as it is used for storage, networking, visualisation, etc.
- Workstation-as-a-Service (WaaS), Traditionally, in a workplace an employee receives a company laptop over which they have full control, but which can only be used in its full capacity for part of the workday in that particular area. The use of this computer is dependent on on-premise applications like servers, workstations, and software. In response to this limitation, Workstation as a Service (WaaS) has emerged as a quickly growing cloud application.
WaaS is a type of application that gives employees full access to their information and other office applications at any time, from any device. It has everything needed to carry out office tasks including anti-virus software, backup capabilities, productivity apps, and accounting—already licensed and updated automatically. This gives employees freedom from physically connecting to their workstations, allowing them easy access to their work from wherever they are in the world. With the massive shift to remote work environments, we’ve witnessed in 2020, this will undoubtedly be an expanding area of cloud services.
- Disaster-Recovery-as-a-Service (DRaaS), As most of the organisations are continuing to operate more digitally, the cost of downtime is costing a fortune. For most e-commerce companies, this downtime can be disastrous as sales depend on online access. A recent example of it will be the downtime of Facebook and its allies’ companies which hit a stop on 4.10.2021 and incurred an average of $6 billion loss.
With such incidents, stricter regulations are holding organizations legally responsible for the protection and care of customer data. Thus, the increased risk of operating online has caused some organizations to re-evaluate their disaster relief strategies and look into Disaster Recovery as a Service (DRaaS). This includes an automated disaster relief strategy that can respond to issues and breaches faster, reducing costs and liability.
What are cloud environments?
Cloud environments are integrated models where one or more cloud services create a system to be used by the end-users and organisations. Some of them are:
- Public cloud environments consist of multi-feature cloud services where the user shares the provider’s servers with other such users which helps in building a co-working space. They are usually third-party services run by the provider to give the users access online.
- Private third-party cloud environments provide the users with exclusive use of the service on their cloud which is mainly owned and operated by some single external provider.
- Private in-house cloud environments as the name suggests are cloud service platforms that are operated by single-tenants(the organization using the services) from their own private data centre . The business that is handling the cloud service runs the environment by allowing a full configuration and setting up of every element.
- Multi-cloud environments consist of two or more cloud services operating together. The bend can be in any form of private or public cloud services. The main focus of this service is to analyze risk mitigation, functionality features and other features that will add significantly to one’s cyber posse.
- Hybrid cloud environments consist of a blend of onsite private cloud data or private third-party cloud with one or more public clouds. One of the advantages of a hybrid cloud environment is that when it is used in a well-integrated and balanced way it can help businesses scale up rapidly. The feature of scaling further and faster keeping at par with the public cloud’s innovative and flexible services without losing out on the higher cost efficiency, reaction speed and regulatory compliance that go hand in hand with the capabilities of the private cloud.
How cloud security works and what makes it so important?
Cloud security is the major issue that the information technology department is facing right now and thus the industry is trying to come up with new features every day. The cloud security measures work to accomplish the following:
· Recovering data in case of data loss,
· To give protection to the data and the network connectivity against any malicious theft,
· Reducing the impact of software error,
· Minimising human error by giving them the training to reduce data leaks.
As more and more companies are opting for cloud services in this online era and with remote work being the upcoming trend cloud services will only see an uprise. The question that has been already put in this discussion regarding the ‘Data security’ and the ‘Privacy space’ is haunting all the cloud service providers. The major problem that these companies face is that there is no parameter for cloud security, it is endless which makes it harder to attain its goal. With technological advancement, the hackers have also gained access to these systems and that is why strong software applications are required to safeguard the data.
This brings us to the next topic of discussion, how far has law evolved in respect to the swift changes in the cloud security and privacy environment?
Privacy concerns on cloud security
To protect the user’s sensitive data different legislation has been put in place to protect the sensitive data. Legislative measures like General Data Protection Regulation (GDPR) has been adopted by the European Union, California Consumer Privacy Act (CCPA) by California, Canada has enacted the Consumer Privacy Protection Act (CPPA), India is coming up with its Personal Data Protection Bill and many other countries are joining the war through their enacted regulations. Each of these regulations does its duty in protecting the data by drawing some limitations to the usage of data, the kinds of data that can be shared, and the penalties for not abiding by such regulations.
This has brought a positive effect in terms of protecting users’ data but the stringent effects of these legislations are yet to be seen. The presence of such rules creates a legal obligation for these cloud service providers to obey them and uphold data integrity. There is mandatory training that has to be provided to their employees handling data of customers to prevent leakage of information.
The huge fines that these companies incur for not following the regulations have pinpointed the need for awareness in the field of privacy laws. For instance, in the EU a total amount of $9 Billion has already been spent to prepare GDPR regulation and employment of 500,000 data protection officers which indicates the magnitude of this issue.
Evolution of cloud security and privacy space
With the advent of cloud computing, big tech companies made use of cloud storage for keeping their customer’s data as it was cost-effective, with no storage issue, and above all could be accessed from any part of the world. The storage of data brought the evident question of security and privacy. Over the last 10 years, everyone has understood the importance of cloud systems and also the importance of strengthening their security. That is why 50% of all corporate data is stored in the clouds. When such a huge amount of data is stored, it is evident that the privacy of such confidential and sensitive information will have to be looked into. But unfortunately, with the evolution of technology, the growth of privacy checks has not been able to keep up. Privacy space has been heavily compromised in the past few years, be it in the form of ransomware attacks or leakage of data in the dark web by hackers or because of any system bug, it is the user’s data that has gone into the wrong hands. Many of the users had to pay heavily for such a breach of privacy. Though the laws are coming to rectify the situation and to hold companies accountable so that remedy can be provided to such victims, the progress of these laws has been very slow.
Cybercrime in cloud service
There have been multiple data breaches in the past couple of years, ranging from Amazon, PayPal, Air India, Dominos, etc. There is a common trend in all of these data breaches that is the data is being sold on the dark web via access to the cloud logs in which it is stored.
Cloud computing enables anytime, anywhere access of information from centralised data center repositories. It is needless to say that underlying resources are not always controlled by the customers and vendors are responsible for managing any vulnerabilities prevailing in the system. On the other hand, users of cloud computing are expected to keep their data safe against cyber threats such as ransomware that use bugs and any technical fault existing in the software application to access and control sensitive data stored in data centres.
Two factors have contributed to cloud data centres becoming popular targets of ransomware and crypto-mining:
1. Absence of awareness among users regarding security measures,
2. Lack of visibility and control into cloud infrastructure.
Cybercrime in the cloud had cost the U.S. $7.5 billion in 2019, compromising government agencies, schools, healthcare institutions, and SMB firms using cloud-based data storage solutions.
Cloud services are going to see a boom in the next few years and rightly so because of the innumerable number of advantages that it serves to the IT and e-commerce companies even the individual persons are not devoid of their use. However, with this rapid growth, a huge gap has been created between the cloud environment and the security and privacy of the data. While many companies and service providers have been taking steps to mend this gap, rapid cyber-attacks have raised a serious question of how safe and secure are the data of the users which are often very sensitive and confidential. It is quite evident that the privacy and data protection laws are unable to change along with the evolution of the technology which in turn has given a safe passage to such cybercriminals. However, in recent days there have been many exemplary judgments where the companies have been held responsible for not adhering to the rules and they also had to pay huge fines. To bridge this gap, both cloud service platforms and privacy laws must go hand in hand as cloud security can only be strengthened by updating software and other technical up-gradation, whereas the laws will protect the victims of such attacks by giving them remedy and punishing the accused appropriately. The anonymity in the cyber world makes it quite impossible to trace such criminals, but, with the advent of technology and by clinging to the legal framework the solution to this problem is not far away.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: