The final part of this article looks at how and where data is stored or handled and the issues that arise in cloud computing through the process of creating multiple instances of data across multiple server platforms. Cloud computing relies on this mechanism for many of its key benefits but, by doing so, invites further challenges for data security.
Data collection and storage is usually bound by legislation or regulation which varies depending on the jurisdiction under which a service falls. Most prominent regulations, however (e.g., those in the US and Europe) share certain principles in common that demand, for example, that data is collected with the subject’s permission, with their full understanding of what the data will be used for, only if the data is relevant to the stated purpose, only for that stated purpose, with transparency and with accountability. For the subject of the data this should mean that they consent to the service provider collecting data relating to them, they know what data that is, who has access to it and why, as well as how to access it themselves if they want to.
It is therefore paramount for IT service providers, who have stewardship of any data, that they are able to identify where data is stored within those services that they provide, how to access it and whether it is secure. However, the abstraction of cloud services in particular can cause challenges for those who utilise them to store or process data because they cannot necessarily guarantee where this data is at any given time. The physical location and guardianship can be obscured, with data hosting sometimes crossing different sites, geographical boundaries and even jurisdictions.
In such cases where private information is involved, the answer often lies with private clouds employing on-site hosting as mentioned in earlier parts of this article, but there is often a trade off with some of the other benefits of cloud which are discussed below.
Multiple Data Instances
Two of cloud computing’s biggest selling points are that of redundancy and scalability. These are often achieved by utilising multiple servers to provide the underlying computing resource, with, therefore, the data within a cloud service being ultimately stored across these numerous servers. Moreover, cloud structures will also create multiple instances of data across these servers to provide a further layer of redundancy protection. However, the more servers that data is shared across, the greater the risk that this data may be susceptible to security vulnerabilities on one of those servers (e.g., malware, hacks); whilst the more instances there are of a piece of data, the greater the risk (by definition) that that data may be accessed and used by unauthorised users. Essentially, data in one place needs to be protected once, data stored in a 100 places, will need to be protected 100 times.
What’s more, as each server and platform is likely to be shared, particularly in the public cloud model, each data instance may be subject to another security threat introduced, inadvertently or otherwise by the 3rd party users who share the resources. In a private cloud, however, this threat is reduced as the cloud resource exists behind the one organisation’s firewall and fewer instances of the data are created in the first place (fewer servers to pool). Consequently there is always a degree of trade off between introducing security risk and the level of redundancy and scalability built into a system (although of course redundancy can prevent data loss in itself). Private clouds may be more secure but with smaller pool of resource they cannot match the levels of redundancy and scalability offered by the vast capacities of public clouds.
Stuart P Mitchell