I am conducting my proposal to analyse the privacy requirement for platform as a service in cloud computing and address it in security policy.
My objectives are:
1: To show how privacy requirement addressed in cloud computing security policy,
2: is there a gap between the requirement and policy that cause for security threats
3: to look at the privacy threats to claim some specific requirements needs to be clearly addressed in the security policy.
What research method would you suggest to me to approach this problem?
Hi Jafar
This is an area which could certainly use more research. There are a number of different drivers which cause a company to consider privacy issues, such as legislation, regulation, standards compliance, best practice, and common decency in protecting the privacy of clients. Legislation will usually provide a strong incentive to comply – the potential for large fines for breaches certainly tends to grab their attention. For companies operating in regulated industries, such as healthcare, or financial services to name but two, regulators are keen to see high standards of privacy maintained. The regulators have the power of sanction for any regulated company that breaches privacy, up to the highest sanction of withdrawal of a licence to operate in the industry. Standards compliance, not being mandatory, is less onerous, with the only real sanction being a failure to achieve compliance. Standards compliance is usually used by companies to demonstrate they operate to a higher standard than others. Often industries have a code of conduct for the industry which recommends “best practice” for a variety of important issues. And, of course, clients have an expectation that companies, to whom they disclose personal details, will take all reasonable steps to ensure the privacy of that information is maintained. That generally covers what should be.
However, the reality does not necessarily correspond to those ideals. There are a number of obstacles to be overcome. The first requirement is for the company to achieve a proper level of security. You can have good security, without achieving privacy, but you can't have good privacy without security. Achieving security and privacy is not a trivial exercise, and this becomes far more complex in cloud due to the additional complexity of cloud systems, and the increase in the number of potential external actors within the cloud ecosystem. Company management approach can also present problems. All too often, management assume cloud security and privacy is a “technical thing” and pass the buck to the IT department, usually without sufficient detail about what is required, without adequate funds to implement it properly, and without giving them enough clout to ensure compliance. This misses the point of the fundamental structure of the business architecture of a company, which is people, process and technology. Any solution which relies on technology alone will be doomed to failure. Another important issue is, of course, the attitude of the cloud service providers (CSP). They have been traditionally reticent to accept responsibility and accountability for their actions, or inactions, with the standard Service Level Agreement (SLA) addressing only availability. NIST in the US have been keen to develop a more accountable SLA, but have had limited success in getting CSPs to discuss this. The EU did set up a working party in 2012 to look at this, and did have input from CSPs. Culminating in the publication of a recommendation for a SLA which addresses security, privacy and accountability in addition to the basic availability. While this is encouraging, it has yet to be trialled, and of course, is neither mandatory, nor cross-jurisdictional to suit global needs.
Turning to the issue of policy, a good policy document needs to be written by someone who has a good understanding of what the privacy requirements are, what the mechanics of the systems in use are, what obstacles lie in the way, together with a good understanding of the threats which might obstruct achieving these goals. This will not be a trivial exercise. It is also clear that existing approaches do not work, otherwise we would not see so many privacy breach revelations in the media.
To get you started, I have attached a list of some work being done in the area of privacy and policy (although it is mostly privacy related). This will give you a good understanding of what is currently being done. There is no doubt that more is needed, and good luck with your research.
Regards
Bob
enc
- Badges
- Science topic
- Similar topics
- Methodology
- Research Methodology
- Research Papers