Privacy, trust and identity in the cloud

Social networking sites like Facebook and Twitter encourage sharing of personal information. How does this change the nature of personal privacy? Trust is fundamental since it forms the basis upon which personal and commercial transactions take place. However, trust and privacy are in conflict since knowing who you are dealing with is essential to trust. So how can identity, privacy and trust in the Cloud be reconciled?
The internet and social networking sites like Facebook are redefining privacy in the world today. Privacy means that people are able to control what information about themselves is made available to other people. There is no universal agreement on what is private; different cultures hold different views on this, and what is considered private changes over time. For example, while in the UK the tax returns of individuals are private; in Norway the earnings of every citizen are publicly available1. This openness is good to ensure that people are correctly taxed but could put people with high incomes at risk of theft, kidnapping and extortion. Therefore privacy is a balance.
Governments have recognised the importance of privacy and have legislated on this issue. The European Convention on Human Rights2 was adopted by the UK in 1998 and Article 8 of this convention guarantees a right to privacy. In Europe privacy of personal information is principally covered by two directives 95/46/EC on personal data processing, and 2002/58/EC on privacy of electronic communications. These directives provide a common approach however laws vary in detail from country to country.
This legislation is, however, primarily aimed at governments and organisations holding personal data. It does not protect the individual from themselves3 or the organisation from the employee acting as a private individual. The person using a social networking site is at liberty to give away personal information about themselves – even to their own detriment. They can also deliberately or inadvertently pass information or make comments that could damage their employer. They can also send ill judged messages that are publicly visible using Twitter4.
Trust is important since it forms the basis upon which personal and commercial transactions take place. Trust is, in some ways, in conflict with privacy. Privacy can be the friend of the confidence trickster and criminal by allowing them to conceal their identity and their previous activities.
What happens when there is a breach of trust – how is trust policed? Commerce is based upon legal enforcement of agreements; this can be very fast and effective. However, internet commerce has challenged this because it is not always easy to identify individuals and because transactions may take place across geographical boundaries. An alternative approach is that adopted by eBay where each buyer and seller has a feedback rating. This is an example of a trust metric where participants in a transaction rate each other and these ratings are publicly visible. If an eBay seller consistently behaves in a trustworthy manner their rating increases, conversely if they do not it decreases. People can chose whether or not to transact with another individual based on this rating.
In the cloud no one knows who you are, a self created user identity is no longer adequate. The threat of impersonation is very real; individuals have had their Facebook identities stolen and adult criminals pose as children to groom and lure children5.
One solution to this is through “claims based” authentication. Traditionally the authentication and authorisation system is co-located with application and the organization controls the provision of credentials. In the Cloud the authentication may be performed remotely from the Cloud application. The remote authentication system then makes a “claim” of identity to the Cloud system, which relies upon this claim. This is similar to a citizen of one country using a passport to enter another country.
Identity federation is a technology for claims based authentication between organisations. The user is authenticated by logging into their organisation when they access a Cloud application their identity is passed to the Cloud provider. This typically uses Security Assertion Markup Language (SAML) or Active Directory Federation Services (ADFS). The technology is secure but identity federation depends upon trust between the two organizations, which needs to be underpinned by legal agreements.
Identity 2.0 provides the means for individuals to build their own electronic identity – independently of their employment based around their personal associations (school, college, interests, etc). This also contains the mechanisms for these individuals to use trusted third parties to substantiate their claims.
Content sensitive IAM
Identity and Access Management normally controls access to specific resources. This form of access control does not help where data is unstructured and messages are being created on the fly. Mandatory Access Control or more recently Digital Rights Management allows the owner of certain information to retain control over how this information is used but it is limited to special cases.
Content sensitive IAM extends control to cover data based on its content. The control is enforced at the time that the data is created, discovered, or transmitted.
The Cloud now provides many services that are used by individuals to network and to buy services. This has created new challenges relating to privacy, trust and identity. Privacy legislation is principally aimed at protecting the individual’s personal information from misuse by governments and organisations. It does not help to protect the individual against their own misjudgements or the organisation against the mistakes of their employees.
Identity 2.0 allows individuals to create and manage their own identities but this raises the risk for others unless these identities can be affirmed by trusted third parties. Content sensitive controls may provide a solution to some of the issues.
About the Author
Mike Small of the London Chapter ISACA Security Advisory Group and senior analyst with KuppingerCole is running a work shop on "Securing the Cloud at ISACA's Information Security and Risk Management Conference 2011 held in Barcelona 12-16 November
With 95,000 constituents in 160 countries, ISACA® ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
As a follow-up to the whitepaper issued in October 2009, ISACA has produced a book called IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud. The book looks at controls and countermeasures that can be used in the cloud, also closely examining how to use the cloud to create value in systems. It is available for purchase in print format and as an e-book.
2 Convention for the Protection of Human Rights and Fundamental Freedoms, Rome; 4th  November, 1950.
3 Dangers of loose talk online with Facebook 'friends':
4 Doncaster man guilty of Twitter airport threat
5 Facebook and Bebo child sex abuse postman jailed:

Please register to comment on this article