No, this isn’t a post about a secretive intelligence agency. Rather, my reference to CIA is to the well-known acronym in the information security industry to “Confidentiality, Integrity, and Availability” of data. The same language is also used in certain privacy laws. Most businesses only thing of the confidentiality aspect of this acronym and frequently forego substantial consideration of the two remaining protections. Today, I’d like to quickly touch on the importance of data integrity and availability in cloud engagements.
Integrity. Data integrity means that the data has not been corrupted or altered in such a way as to no longer be accurate and reliable. Clearly an important protection. It is interesting to note, however, that many vendor agreements for cloud services specifically disclaim liability for data integrity. In fact, a growing number of vendors actually include language in their contracts making the customer responsible for the accuracy and integrity of their data even while being hosted on the vendor’s servers. I suggest such an approach is unacceptable.
A customer can and should be responsible for ensuring the data, as delivered to the cloud service, is accurate and that any errors introduced by the customer are the customer’s responsibility. However, errors introduced by the vendor’s software, systems, and personnel should be the responsibility of the vendor. Else, how can a customer rely on the data?
Availability. Usually, availability is generally a concern to be discussed in connection with the SLAs in the vendor agreement. That is partially correct, but the broader issue of ensuring critical data is available when needed must be more generally addressed. That would include considerations of SLAs, backup requirements, disaster recovery measures, and the ability of the customer to reconstruct data, if needed.
When considering entrusting their data to a cloud provider, businesses should consider all three elements of “CIA” are adequately addressed and reflect the criticality of the relevant data.