Pre-requisite:- Cloud Computing

There is a misconception about data privacy that it is a subset of information, in the following article we’ll discuss privacy in cloud computing, by differentiating the privacy concerns according to traditional computing. The definition of privacy will be different according to the countries, their jurisdiction, their people’s point of view, etc. Privacy is generally shaped by the legal interpretation of public expectations, so its concise and worldwide acceptable definition might not be possible.

Privacy rights are related to users’ data, storage, and destruction of their personal data that is how an organization is using the data of their users, if they are breaching the rules of their jurisdiction or using data inappropriately then privacy will be subjected to legal jurisdiction.

Data Life Cycle

The personal information of users should be managed as a part of the organization’s data, it should be managed from the time information is received till its destruction.

Personal information should be protected in the cloud in each of the following phases:-

Components of Life Cycle

Generation of the Information

• Ownership: Who in the organization owns the user’s data, and how is the ownership of data maintained within the organization?
• Classification: How and when is personally identifiable information classified? Are there any limitations on cloud computing on specific data cases?
• Governance: To ensure that personally identifiable information is managed and protected throughout its life-cycle

Use of the Information

• Internal v/s External: Are personally identifiable information used only inside the organization or they are used outside the organization?
• Third Party: Is the personally identifiable information shared with third parties(organizations besides the parent company having data).
• Appropriateness: Is the personally identifiable information of users being correctly used for which it is intended?
• Discovery/Subpoena: Is the information stored in the cloud will enable the organization to comply with legal requirements in legal proceedings?

Transfer of the Data

• Public v/s Private Network: Are the public networks secure(protected) enough while the personally identifiable information is transferred to the cloud?
• Encryption Requirements: Is the personally identifiable information encrypted while transmitted via a public network?
• Access Control: Appropriate access control measures should be taken on personally identifiable information when it is in the cloud.

Transformation of Data

• Derivation:- While data is being transformed in the cloud, it should be protected and user limitations should be imposed on it.
• Aggregations:- The data should be aggregated so that we can ensure that it is no longer identifying any personal individual.
• Integrity:- Is the integrity of personally identifiable information maintained while it is in the cloud?

Storage of Data

• Access Control: Appropriate access controls should be used on personally identifiable information while it is stored in the cloud so that only individuals with a need to know will be able to access it.
• Structured v/s Unstructured: How the stored data will enable the organizations in accessing and managing the data in the future.
• Integrity/Availability/Confidentiality: How data integrity, availability, and confidentiality are maintained in the cloud?
• Encryption: The personally identifiable information should be encrypted while it is in the cloud.

Archival

• Legal and Compliance: Personally identifiable information should have specific requirements that will instruct how long the data should be stored and archived.
• Off-site Considerations: Does the cloud service provider have the ability for long-term off-site storage and should also support the archival requirement?
• Media Concerns: Who will control the media and what is the organization’s ability to recover in such cases when the media is lost?
• Retention: For how long the data should be retained on the cloud by the cloud service providers?

Destruction of the Data

• Secure: Does the cloud service providers destroy the personally identifiable information obtained by the customers to avoid a breach of information?
• Complete: Does the personally identifiable information be completely destroyed? (erase the data, or it can be recovered)