Technology: Preparing for the new year with cloud computing issues to watch in 2014
Encryption, identity management and wearable technology look to be hot issues in cloud computing as we enter 2014.
January 03, 2014 at 03:00 AM
8 minute read
The original version of this story was published on Law.com
Cloud computing continues to gain traction as businesses seek greater business agility and expanded ways to connect with customers that increasingly engage with businesses through social media and mobile technology. So as we prepare to start the New Year, it is a good time to consider some of the things attorneys should be watching in the area of cloud computing. These include encryption, identity and access management and wearable technologies.
Encryption
With the NSA in the headlines this year for monitoring U.S. citizens, cloud encryption solutions are expected to dominate the cloud landscape in 2014 as more companies seek to encrypt data being placed into the cloud. Gartner predicts that, in 2014, cloud-based tokenization and encryption will be among the highest growth areas of cloud security.
Encryption is a control mechanism used to protect data by restricting access to only those people with the credentials necessary to decrypt the data. Encryption is not new, however, has not been widely used in the cloud environment. Cloud services evolved around consumers, and the focus was on providing functionality and ease of use for consumers who want to handle tasks directly, so often encryption security features were not included. Encryption also requires that the encryption keys be properly managed. The encryption keys must be secured and stored so that critical data does not become compromised if encryption keys are stolen or irretrievably lost if the encryption keys are accidentally deleted. Attorneys should be aware that many businesses do not have personnel trained in encryption and often do not have data classified in a manner that facilitates encryption.
In order to address encryption demands, some businesses are considering cloud encryption gateways, a solution that enables cloud adoption while keeping sensitive data on premises and tokenizing or encrypting that data so that it is protected in the cloud. Split key encryption is expected to become even more popular in 2014. With split key encryption, the encryption key is split in two, one half held by the cloud service provider and one by the cloud user so that the cloud user's database can only be accessed with the cloud user's participation.
Some companies, particularly those in healthcare, are now installing full-disk encryption on their employee laptops. Note, however, that some of the leading encryption products are configured so that once the password is entered, the laptop is unencrypted (and unprotected) until the laptop is booted down. A laptop in the “sleep” mode may not trigger application of the encryption protection. This means that a laptop that is lost or stolen while in “sleep” mode may be completely unprotected. Attorneys should consider whether their organization's technology policies should be modified to require employees to completely shut down their laptops before removing them from the workplace and to only use the “shut down” function, rather than “sleep” mode, when traveling or leaving their laptop unattended in an unsecure environment. Additionally, attorneys should consider whether technologies policies address encryption of mobile devices and media, such as USB drives, if they will be used remotely.
The cost of encryption does not appear significant when measured against the potentially substantial financial exposure to an organization that can arise from a data security breach, especially one that involves protected personal information or health information. Most security breaches today do not occur because of cybercrime. They are associated with people coming in the “front door” with the use of weak or stolen credentials or lost or stolen devices. If organizations allow their employees to use their own devices, cloud security professionals are recommending encryption if there is a possibility sensitive data will be stored on those devices. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but often such policies are difficult to enforce. This explains an increasing use of company owned computers and encrypted portable media.
Given the prominent role of encryption in cloud security, attorneys are encouraged to spend some time in the New Year consulting with their organization's IT and security teams to gain an understanding of this important aspect of cloud security and to include appropriate protections in cloud services agreements.
Identity management
Identity management also is expected to gain increasing attention in 2014. Managing who has access to what — and how to quickly eliminate access when employees leave the company — is essential to enterprise security yet is more complicated in today's cloud environment. Without cloud identity management, companies have difficulty adopting public cloud solutions safely and effectively. The concept of “aggregate identity” is being discussed by cloud security professionals as a means of addressing identity and access management. This aggregate identity will consist of several parts, including corporate, personal, devices used, behavior and social identity. The challenge in identity management is the need for organizations to quickly determine who the user is and what the user is authorized to have access in a cloud environment that is fast moving, outside of the organization's control, and, very complex.
“BYOI” or “bring your own identity” is an emerging concept in cloud security. As the name suggests, it means bringing your own identity to online interactions. The concept can be understood in terms of social identity as access — for example, using your Amazon ID to shop at various stores rather than creating a new account at each store. According to a recent study, less than 5 percent of customer identities are based on social network identities but by the end of 2015, 50 percent of all new retail customer identities are expected to be based on social network identities.
Social identity is being promoted by large cloud service providers to help reduce the costs of identity management and provide a framework to consumerize identity. Some government agencies are using this approach. For example, New York's Ny.gov website uses an online ID and password that enables individuals, businesses and organizations to securely access multiple online government services with a single user ID and password.
Cloud, mobility and BYOD are driving developments in BYOI. Some areas of current focus in BYOI include strength of authentication and identity administration, determining who is responsible if the identity is breached, and methods for revoking access. Attorneys will need to monitor the developments in this area to understand how legal compliance may be impacted by BYOI.
Wearable technology
Wearable technology continues to expand as Google Glass and other wearable technology illustrate. Wearable technologies are worn in the much the same manner as traditional eyeglasses or clothing are worn, with the difference being that they interact with the user based on the context of the situation. These wearable technologies can act as intelligent assistants or provide augmented reality and rely on the cloud for data storage and other services.
These wearable technologies, together with other mobile devices, enlarge the legal, security and privacy issues that attorneys need to consider in helping their organizations maintain effective privacy and security controls. While there are currently a number of wearable technologies used in industry, such as armbands that track goods being gathered by employees, many of the wearable technologies are designed for consumer use and do not necessarily have the built-in security controls necessary to meet business security needs.
The Federal Trade Commission is closely monitoring Google Glass and other wearable computers for potential privacy violations. With these emerging wearable technologies, it is important for attorneys to consider the associated privacy and security implications. Wearable technologies and other mobile technologies significantly impact traditional IT security models by increasing the security perimeter for businesses. Developing systems for accurately identifying and creating an inventory of these types wearable technologies and mobile devices will be essential to effectively managing the security and compliance responsibilities — without such an inventory, it will be difficult to manage these technologies. Attorneys will need to ensure that their organization's cloud and information security controls and policies address wearable technologies and the growing array of mobile devices.
Conclusion
Technology continues to move beyond traditional computer equipment and mobile devices into enterprise assets and wearable computers that rely on the cloud. Attorneys need to help their organizations proactively explore the possibilities presented by these emerging technologies in order to be operationally and organizationally ready to address security, governance and compliance issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
What to Know About the New 'Overlapping Directorship' Antitrust Development
4 minute read
Tesla, Musk Appeal Chancery Compensation Case to Delaware Supreme Court
2 minute read
Fatal Shooting of CEO Sets Off Scramble to Reassess Executive Security
5 minute read
Ben & Jerry’s Accuses Corporate Parent of ‘Silencing’ Support for Palestinian Rights
3 minute readTrending Stories
- 1Chicago Cubs' IP Claim to Continue Against Wrigley View Rooftop, Judge Rules
- 2Fulton DA Seeks to Overturn Her Disqualification From Trump Georgia Election Case
- 3The FTC’s Noncompete Rule Is Likely Dead
- 4COVID-19 Vaccine Suit Against United Airlines Hangs on Right-to-Sue Letter Date
- 5People in the News—Jan. 10, 2025—Lamb McErlane, Saxton & Stump
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
