Security, Privacy And Compliance In The Cloud - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
2/20/2009
05:59 PM
Roger Smith
Roger Smith
Commentary
50%
50%

Security, Privacy And Compliance In The Cloud

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!"

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!""Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later."

Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems like Microsoft's Health Vault and Google's Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem."

Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has been shared with others for certain purposes.

CPUC's Lawson said that at a minimum cloud service providers should adhere to what are commonly known as SAS 70 rules from the American Institute of Certified Public Accountants, which defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. Examples of service organizations that need to do this are insurance and medical claims processors, trust companies, managed security providers, credit processing organizations and clearinghouses, hosted data centers, application service providers (ASPs) and cloud service providers.

Lawson brought up a challenging example of how privacy mores, which are norms or customs, have changed over time. "Ten or fifteen years ago," she explained, "the fact that someone was pregnant was often a closely-guarded secret. Now, that kind of things is out in the open and discussed on TV and in magazines. Which makes for an interesting exercise, if you're trying to design a privacy profile for someone over many years." Mucha said one possible solution to this problem might be the notion of "security following the data" with individuals having the right to redact or revise their data, which could potentially create a huge problem for both government and health care workers.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
News
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Commentary
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll