How To Write An Saas Data Privacy Framework

Transcription

1 SaaS Data Privacy Thesis IT Audit Executive Master of IT Auditing (EMITA) Thesis ID: 1005 March 2010 Nicole Woodriffe Student number: Ir. María José Alonso Alonso Student number: Ir. Erica Zaaiman RE (Company supervisor) PwC Dr. Abbas Shahim RE (University supervisor) Atos Consulting

2 Copyright by María José Alonso Alonso and Nicole Woodriffe 2010

3 Abstract Abstract As the world economy still seems to be in a time of crisis, cost-saving is becoming the most common catchword. Other companies have seen an opportunity: they are offering Software-as-a-Service (SaaS). According to Gartner, about 25% of business software will be delivered under the SaaS model by SaaS is a model of software deployment whereby a provider licenses an application to customers for use as a service. The SaaS model of software application delivery has a multi-tenant architecture that allows numerous customers to operate out of a single software application. SaaS offers companies potential options to reduce internal resources and expenses reserved to application maintenance, version updates and patching. Once an existing application is moved to the vendor, the overall IT spending can be reduced. The newly available internal resources are then free to be allocated toward other internal operations priorities. However, this multi-tenant architecture raises concerns about data privacy. The growing popularity of SaaS is having a significant impact on data security. Firstly, by using SaaS, the business (critical) data is stored at a remote location outside the corporate controlled range. It may well lead to extreme dependency on vendor s integrity and expertise concerning the confidential data. Secondly, the data is placed at a supplier site which may have several customers. In principle a general security strategy is defined for the data of several owners, however it may raise some concerns since it is not tailored to all the customer s needs. The aim of our research was to study the risks of SaaS services regarding data privacy and which privacy aspects should be incorporated in the contracts of SaaS services. To answer this question, we studied the concept of SaaS and which privacy concerns are inherent to SaaS services. We limited our research to the confidentiality aspect of privacy. Based on this study, we developed a framework containing the attention points that the SaaS vendors should include in their contracts to provide assurance to their customers regarding privacy. We performed a practical research to validate our study. Thesis IT Audit: SaaS Data Privacy i

4 Acknowledgements Acknowledgements We would like to take this opportunity to thank everybody who was involved in helping to complete this thesis. Firstly, we want to express our gratitude to our mentors Abbas Shahim and Erica Zaaiman for their guidance and support. They provided us with helpful ideas and led us to the completion of this thesis. We would also like to thank to the people who participated in our research and gave us a lot of insights during the interviews. All of them were prominent figures with great and interesting thoughts on the research topic. Last but not least, we want to thank our family, friends and classmates for all the support they gave us during these past few months. Maria Alonso is especially thankful to her companion, Bruno Gaspar, for his assistance and support in numerous and invaluable ways. Amsterdam, March 2010 Nicole Woodriffe & Maria Alonso ii Thesis IT Audit: SaaS Data Privacy

5 Table of Contents Table of Contents Abstract... i Acknowledgements... ii Table of Contents... iii List of Figures and Tables... iv List of Abbreviations... v Chapter 1: Introduction Problem definition Research objective Research questions Research approach Thesis overview by chapter... 2 Chapter 2: SaaS and Data Privacy Software as a Service (SaaS) Introduction Key characteristics SaaS versus ASP Technologies enablers of SaaS SaaS hosting SaaS platform SaaS architecture Data Privacy What is privacy? Data privacy laws European directive 95/46/EC Privacy challenges for SaaS services SaaS data privacy framework Chapter 3: Practical research Methodological approach Research strategy Data collection and analysis SaaS data privacy framework assessment The role of the IT auditor Chapter 4: Conclusions and recommendations Appendix A: Companies involved with SaaS Appendix B: Interviewees and Questionnaire Appendix C: Definitions Appendix D: Bibliography Thesis IT Audit: SaaS Data Privacy iii

6 List of Figures and Tables List of Figures and Tables List of Figures: Fig. 1 - Research approach... 2 Fig. 2 - Traditional software services versus SaaS... 5 Fig. 3 - Technologies enablers of SaaS... 6 Fig. 4 - SaaS platform... 8 Fig. 5 - SaaS architecture models... 9 Fig. 6 - SaaS data architecture approaches List of Tables: Table 1 - Data controller obligations according to the DPD Table 2 - Key privacy concerns for SaaS services Table 3 - Privacy concerns related to SaaS architectures Table 4 - SaaS data privacy framework Table 5 - SaaS data privacy framework assessment iv Thesis IT Audit: SaaS Data Privacy

7 List of Abbreviations List of Abbreviations Abbreviation Definition AICPA American Institute of Certified Public Accountants APEC Asia Pacific Economic Corporation Article 29 WG Data Protection Working Party (established under the DPD) ASP Application Service Providing CBP College Bescherming Perssongegevens CEN European Committee on Standardisation CEN/ISSS CEN Information Society Standardization System CICA Canadian Institute of Chartered Accountants CRM Customer Relationship Management DPD Data Protection Directive (European Directive 95/46/EC4) EU European Union GAAP Generally Accepted Privacy Principles HR Human Resources IAM Identify and Access Management IDb Isolate Database IDg Isolate Diagram IPSE Initiative for Privacy Standardization in Europe N/A Not Applicable SaaS Software as a Service SAS70 Statement on Auditing Standards No. 70 SDg Shared Diagram SDLC Software Development Life Cycle SHP SaaS Hosting Provider SLA Service Level Agreement SOA Service Oriented Architecture SSL Secure Socket Layer SSC SaaS Service Customer SSP SaaS Service Provider U.S. United States of America WBP Wet Bescherming Persoongegevens WPR Wet Persoonregistraties XML Extensible Markup Language Thesis IT Audit: SaaS Data Privacy v

8 List of Abbreviations Intentionally left blank vi Thesis IT Audit: SaaS Data Privacy

9 Chapter 1: Introduction Chapter 1: Introduction In this chapter we introduce the problematic that motivates our thesis, the objective of the investigation, the research questions, the research approach and the thesis overview by chapter. 1.1 Problem definition As the world economy seems still to be in a time of crisis, cost-saving is becoming the most common catchword. Other companies have seen an opportunity: they are offering Software-as-a-Service (SaaS). According to Gartner, about 25% of business software will be delivered under the SaaS model by 2011 [1]. SaaS is a model of software deployment whereby a provider licenses an application to customers for use as a service. The SaaS model of software application delivery has a multi-tenant architecture that allows numerous customers to operate out of a single software application. SaaS offers companies potential options to reduce internal resources and expenses reserved to application maintenance, version updates and patching. Once an existing application is moved to the vendor, the overall IT spending can be reduced. The newly available internal resources are then free to be allocated toward other internal operations priorities [2]. However, this multi-tenant architecture raises concerns about data privacy. The growing popularity of SaaS is having a significant impact on data security. Firstly, by using SaaS, the business (critical) data is usually stored at a remote location outside the corporate controlled range. It may well lead to extreme dependency on vendor s integrity and expertise concerning the confidential data. Secondly, the data is placed at a supplier site which may have several customers. In principle a general security strategy is defined for the data of several owners, however it may raise some concerns since it is not tailored to all the customer s needs [3-4-5]. From the data privacy perspective, the customers remain always owner and responsible for their data, nevertheless the SaaS vendor must give certainties concerning data privacy. The contract with a SaaS vendor does not eliminate the customer's legal responsibility for the activities conducted by the vendor. Companies often forget the data privacy risks associated with the added contract complexity. It is important to negotiate appropriate controls and manage vendor reporting. Many SaaS services are contracted under standard vendor-developed contracts. They add significant data privacy risks [6]. 1.2 Research objective The aim of our research was to study the risks of SaaS services regarding data privacy and which privacy aspects should be incorporated in the contracts of SaaS services. We have limited our research to the confidentiality aspect of privacy. 1.3 Research questions In order to reach the research objective, the following three sub-questions have been defined: 1. What is SaaS and what are the issues related to data privacy within SaaS services? 2. Which aspects should the SaaS providers take into account in their contracts to provide assurance to their customers regarding data privacy? And 3. What is the role of the IT auditor in the data privacy of SaaS services? Thesis IT Audit: SaaS Data Privacy

10 Chapter 1: Introduction 1.4 Research approach The figure 1 represents the research approach chosen to answer the corresponding questions and achieve the goals mentioned above. During the first part of our research we performed a literature study concerning the SaaS theory and the data privacy theory and we analysed how these two theories interact with each other. As an outcome of this initial phase a framework was developed. During the second part of our research we validated the framework by means of a practical case and interviews with experts (IT-auditors, teachers, software architects, lawyers, etc.). In the end we addressed our conclusions based on the analysis performed on the first and second part of our research. Fig. 1 - Research approach 1.5 Thesis overview by chapter The thesis is structured as follows: Chapter 1 contains the introduction of the problematic, the objectives of our study and the research approach. In Chapter 2 the first research sub-question is addressed by explaining the SaaS and data privacy theory and how they interact with each other. Afterwards, a framework is presented to cover the second research sub-question by describing which aspects SaaS providers should take into account in their contracts to provide assurance to their customers regarding data privacy. The Chapter 3 contains the practical research. This chapter starts with the methodology approach followed by the assessment of the framework and ends with the answer of the last research sub-question by marking out the role of the IT auditor in the data privacy of SaaS services. In Chapter 4 the conclusions and recommendations are presented and entirely summarised. Appendix A contains a table with the most well known SaaS companies nowadays and information about what SaaS services they provide. In Appendix B we included a list of the people interviewed for the practical research and the questionnaire for them. Finally, Appendix C contains relevant definitions for this thesis and Appendix D the bibliography. 2 Thesis IT Audit: SaaS Data Privacy

11 Chapter 2: SaaS and Data Privacy Chapter 2: SaaS and Data Privacy In this chapter we present the theory of SaaS and data privacy, the nature of the privacy challenges in SaaS services and the guidelines to protect the data when purchasing and using a SaaS service. A framework containing what SaaS vendors should provide to ensure the privacy of their customer s data is presented. 2.1 Software as a Service (SaaS) In this section we provide the theory of SaaS including the SaaS definition, key characteristics, technology enablers and SaaS architecture Introduction SaaS is a new software application delivery model where the software is hosted on the SaaS vendor infrastructure and delivered via web to a large number of tenants and the mode of payment follows a subscription model. SaaS is sometimes also known as hosted software or by the term on-demand [2]. SaaS allows software application vendors to deliver a web based model to serve a variety of clients with multi-tenancy based infrastructure and shared application architecture. The SaaS vendor is responsible for the software delivery applications and services to their customers through Internet. SaaS vendors may disable the service after the on-demand contract expires. One of the earliest reports describing software turning into service was made in 1999 by Pearl Brereton [7], who was a membership of Pennine Group. They foresaw that the future of software lay not in developing new architecture based on constructional forms, such as objects or components, but in taking a radically different delivering way of software s functionality to the user. The term Software as a Service (acronym SaaS) was used for the first time in the white paper called "Software as a Service: Strategic Backgrounder" by the software & Information Industry Association's e-business Division published in February 2001 [8]. Turner proposed in 2003 that the basic essence of SaaS is a disassociation of software s ownership and right of use [7]. In 2006 SaaS was getting more popular as Internet broadband with high speed was becoming affordable. People started getting used to the idea of doing business through Internet. SaaS vendors started to grow and therefore offered customers a wider variety and choices. Customers were not limited to just one SaaS vendor. Taking away the costs of the infrastructure, software upgrades and security surrounding the software made the SaaS services very attractive for the customers. Now they could spend less time in operational issues and focus on their core business. There are two main types of SaaS services: business oriented services and customer oriented services. The first category offers software solutions to companies or enterprises. A number of applications and software services fall under this first category such as product management services, enterprise planning, human resources services (HR), online bookkeeping or customer relationship management (CRM) applications. The second type provides software solutions or services to the general public. Web based services is a good example of the customer oriented SaaS. Thesis IT Audit: SaaS Data Privacy

12 Chapter 2: SaaS and Data Privacy Sometimes these services are offered on a subscription basis but mostly they are offered for free [2]. We will focus our thesis on the business oriented SaaS services. About 25% of business software will be delivered under the SaaS model by 2011 according to Gartner [1] and according to a recent report issued by Springboard Research, SaaS will account for more than 15% of the enterprise software applications market in Asia Pacific by 2010 reaching $1.16 billion [9]. Deutsche Bank projected that the SaaS market will account for half of the application software spent, or $30 billion by 2013 [10], and Bill Gates forecast that the emergence and rise of the SaaS business model will be the next sea-change in computing [11]. IDC predicted that the percentage of U.S. companies which plan to spend at least 25% of their IT budgets on SaaS applications will increase from 23% in 2008 to nearly 45% in 2010 [12]. It is only now the realization sets in of the importance and the quantity of software that will be delivered through SaaS. Presently, on the market there are several SaaS vendors. Unlike other computer technologies, SaaS does not have a clear market leader. Instead, SaaS has a number of different service providers, who each provide useful services for a number of different scenarios. In appendix A, we detailed some of the most well known SaaS companies and the kind of software services they provide Key characteristics Traditionally software system and customer s data were stored and run by the customer. However, SaaS changes this by offering hosting services. The software applications are hosted now externally on a remote server by the software vendor and they are accessed by the organization via Internet. The figure 2 shows schematically the differences between the traditional software services and the new SaaS services [3]. This new software distribution model has the following main characteristics [2-13]: The SaaS vendors offer their software solutions to their customers in the form of a service, instead of a product. The SaaS vendors offer now hosting services including maintenance, support and upgrades of the software applications, which eliminate the need for end-users to download patches and upgrades. The SaaS vendors offer also their IT infrastructure and services for data storage. The customer s data and the software application are now at the SaaS vendor. Therefore, the customers have no longer the costs of managing and maintaining the software applications and their data. It is a web based service. The software applications are accessed by the organization over Internet. This means that the customer just needs a PC with a browser and an Internet connection to have access to the software application. The costs are now based on usage (subscription or pay-as-you-go ). The customer does not pay for the licenses and operational costs like in the traditional software services. Under SaaS the customers can pay a periodical fee for their usage or be charged based on how much they use a particular software service. Application delivery is typically closer to a one-to-many model (single instance, multi-tenant architecture) than to a one-to-one model including architecture, pricing and management. 4 Thesis IT Audit: SaaS Data Privacy

13 Chapter 2: SaaS and Data Privacy Traditional Software Service Costumer Software Licenses & Operational Costs User Software Services Software + Data Traditional Software Vendor Software as a Service Costumer Pay-as-you-go User Software Services Internet Software + Data SaaS Vendor Fig. 2 - Traditional software services versus SaaS SaaS versus ASP SaaS provision and Application Service Providing (ASP) are two terms that are often used to describe the same thing, the delivery of software applications via Internet. Although both SaaS and ASP are very similar to each other, there are differences between the two software delivery models. It was ASP that first created this new software delivery model and SaaS has evolved from ASP. These two concepts SaaS and ASP are usually confused. I understand completely why people are confused about ASP and SaaS says Laurie McCabe, an analyst at AMI-Partners Inc. in New York. The terms are often used interchangeably. They shouldn't be, but they are [14]. ASP created the outsourced software delivery model. ASP was very attractive in the 1980s and 1990s. Companies were encouraged by the speculative nature of the stock market until the crash of The vendors built huge data centres and managed to sign up customers with the promise of complete outsourcing of all applications and data. However, ASP was not very successful as there were many technical and business challenges [15]. Providing applications through Internet is different from delivering data. The unique application s behaviour plus the memory and network requirements could not be gathered into a single and scalable process. The biggest problem for ASP was the fact that they could not use a scalable system to support thousands of customers and users while making profit. In addition, Internet in that time was immature for this type of service [15]. After 2005 new Internet technology emerged and became available (refer to section 2.1.4) which allow the new SaaS software delivery model. Therefore, SaaS is an evolution from the ASP model. SaaS offers practically the same as ASP: hosted applications through Internet. However, single instance multi-tenancy architecture is adopted. SaaS is able to offer a more scalable system than the ASP [ ]. Thesis IT Audit: SaaS Data Privacy

14 Chapter 2: SaaS and Data Privacy Technologies enablers of SaaS SaaS has changed the way software is being delivered to the customer. This has been possible due to mature technologies and to the rapid advance of Internet speed, connectivity and reliability. As the Internet became more reliable, more companies started to use Internet as their primary communication medium for doing business [17]. SaaS turned into a successful method of delivering business services across the web. The current economy has given the SaaS phenomenon an enormous boost. The paper published by Mark Turner Turning software into a service, IEEE computer society in October 2003 [5], highlight the fact that there were significant gaps in technical aspects of delivering software as a service at that time. After 2005 the market for SaaS solutions evolved with new technology emerging and becoming available [ ]. The key enablers of SaaS are: Fig. 3 - Technologies enablers of SaaS Web 2.0 Web 2.0 was launched in This introduction was the start of using the web as a platform, enhancing the creativity, communications, security, collaboration, and functionality of the web. Web 2.0 was not just a new version of the World Wide Web; it opened the door to enable a different perspective of using the web by the software developers and end-users. Internet has become the main communication platform and the browser has become the universal user interface. Web 2.0 has the capabilities of client and server side software and makes use of network protocols. Standards-oriented web browsers may use plug-ins and software extensions to handle the content and the user interactions. Web 2.0 technology has enabled SaaS to emerge due to the ability to read and write dynamic and near real-time data and to program a remote functionality to create a new class of web applications with those capabilities. Service Oriented Architecture (SOA) SOA has established its value in enterprise systems as architecture for integration, consolidation, and reuse. SOA is a methodology that provides a set of principles and governance concepts used during the development and integration phases of systems. 6 Thesis IT Audit: SaaS Data Privacy

15 Chapter 2: SaaS and Data Privacy SaaS can make use of SOA to enable software to communicate with each other. SaaS providers consider SOA in building the SaaS offerings. Cloud computing Cloud computing is a method of computing in which dynamically scalable and often virtualized resources are provided as a service over Internet. The users do not need to have specific knowledge or control of the technology infrastructure in the cloud. The cloud can be used to offer SaaS solutions. Vendors do not need to invest in the hosting infrastructure. The attractive aspect is the fact that data, software, hardware and IT services are available anytime, anywhere. SaaS vendors have the opportunity to provide users with more economic solutions. Virtualization is the key behind cloud computing. Virtualization Virtualization is an abstraction of computer resources. It creates an external interface that hides an underlying implementation. Basically this is a way to make full use of existing hardware, operating system or application resources by simulating a resource that is not physically present. Virtualization helps SaaS vendors in scaling the SaaS software without the cost of implementing extra servers. This means that the SaaS vendor can offer optimal services with a reasonable price SaaS hosting SaaS hosting refers to the method in which SaaS vendors offer their software solutions to customers in the form of a service instead of a product. For larger companies (such as Microsoft, Google, etc.), hosting software services within their own data centres and using their own servers is not a constraint due to their huge resources. However, for smaller or even medium sized businesses SaaS vendors, it can often be very expensive and time consuming to swap their business model from a product-based software model to a service-based software model. For small and medium SaaS vendors shifting from a product orientated model to a service-orientated model is not an easy step. SaaS vendors have to change completely their payment models and they also have to ensure that their services can be accessed by a wide range of users all across the globe with 24/7 availability. Furthermore, SaaS vendors have to deal with new Service Level Agreements (SLAs), ensuring that they deliver to their customers exactly what they paid for. SaaS vendors could consider using a SaaS Hosting Provider (SHP) if they want to avoid all of these efforts but still want to change their software application delivery model to a SaaS-based one. A SHP can take a lot of the strain away from SaaS vendors by dealing with the migration process from a product-based delivery model to a service-based delivery model [13]. SHP usually helps SaaS Service Providers (SSP) to fine tune their software applications so that they are optimized for Internet access while also providing them with the infrastructure for their customers with the new software application delivery model. One of the benefits of using a SHP is that SHPs offer multi-tenant hosting or shared hosting, meaning that many users can access a single instance of a software application. Moreover, when software services are hosted on SHP s data centres, the SSPs don t have to purchase new machines or upgrade their existing infrastructure. Management costs are also reduced because a business doesn t have to manage or maintain the infrastructure [13]. Thesis IT Audit: SaaS Data Privacy

16 Chapter 2: SaaS and Data Privacy SaaS platform A SaaS platform is a software program (which can be thought of as a layer of software), that is used to host other software applications. It deals with all the SaaS related management processes such as offering software services on demand or making a software service accessible to multiple users [13]. The SaaS platform allows many users to access a single instance of a particular software application. A SaaS platform can be viewed as a traditional operating system with the difference that it runs and manages applications which are designed to be accessed over Internet, rather than being accessed locally (see figure 4). Apart from making a single software service or application available to many users, a SaaS platform also has other responsibilities like monitoring and measuring the usage of software services [13]. Fig. 4 - SaaS platform Nowadays there are a number of SaaS vendors that offer their own SaaS platforms, for example Microsoft and Oracle. According to McKinsey & Company, the increasing adoption of SaaS is fuelling the rise of a new generation of platforms to develop, integrate, deploy and host SaaS applications. These SaaS platforms come in several flavours for the different market prospects [19] SaaS architecture There are several approaches when we talk about SaaS architecture. According to Microsoft MSDN [20], SaaS architectures can be classified into four maturity levels in terms of their deployment customization, configurability, multi-tenant efficiency and scalability attributes. According to Mike Chung [3], SaaS architectures can be classified into four logic architecture models. We classified the SaaS architecture of the SSPs according to their hosting model into the three following models (see figure 5): 8 Thesis IT Audit: SaaS Data Privacy

17 Chapter 2: SaaS and Data Privacy Own hosting: SaaS providers adapt their own infrastructure to offer SaaS services. It is the most expensive model but, on the other hand, they have all the control over the infrastructure. Managed hosting: SaaS providers use the infrastructure from a SHP who manages it for them. It is similar to traditional hosting but tailored to SaaS. SaaS providers know where their data is and they can get higher service levels and support. Cloud hosting: SaaS providers obtain on-demand access to infrastructure capacity over the cloud. Major advantages of cloud computing relative to the managed hosting consist of a faster capacity provisioning and ability to scale capacity up and down as needed. On the other hand, SaaS providers cannot choose or customize their infrastructure and they don t know where the data of their customers are. Fig. 5 - SaaS architecture models Data architecture With SaaS, the data is stored and managed externally at the SaaS vendor. Ideally, a multi-tenancy SaaS data model should have network-based access, low overhead and it should be robust and secure. Tenant s specific data and queries should be separated, isolated and secured from each other. There are three approaches to manage multi-tenant data in a SaaS model (see figure 6) [ ]: Isolated databases (IDb): this is a separate and dedicated customer database approach. Each consumer has its own database at the supplier. Each customer remains logically isolated from data that belongs to all other tenants. Metadata associates each database with the correct customer, and database security prevents any customer from accidentally or maliciously accessing other customer s data. Thesis IT Audit: SaaS Data Privacy

18 Chapter 2: SaaS and Data Privacy Isolated diagram (IDg): this second approach makes use of a shared database and schema with a fixed extension set and customised extensions. The consumers share the database, but everyone has its own diagram in the database. This approach offers a moderate degree of logical data isolation. Shared diagram (SDg): this third approach applies a shared database concept with separate schemas or custom extensions. The consumers share not only the database, but also the diagram. The customer has its own client-id in the database. The shared-schema approach is appropriate when it is important that the application be capable of serving a large number of tenants with a small number of servers. However, because multiple tenants share the same database tables, this approach may require additional development effort in the area of security to ensure that tenants can never access other customer data. Fig. 6 - SaaS data architecture approaches 2.2 Data Privacy In this section we present the definition of privacy, a data privacy laws overview, a description of the European Directive 95/46/EC and the nature of the privacy challenges in SaaS services What is privacy? You can have security and not have privacy, but you cannot have privacy without security. Tim Mather A common misconception is to think that data privacy is a subject of information security. Although both are interrelated, privacy has its own concerns. The concept of privacy differs widely among countries, cultures, and jurisdictions. It is formed by public expectations and legal interpretations [17]. Alan Westin, one of the famous social engineers, defines the privacy as the claim of individuals, groups or institutions to determine for themselves when, how, and to what extend information about them is communicated to others [22]. 10 Thesis IT Audit: SaaS Data Privacy

19 Chapter 2: SaaS and Data Privacy Another definition with a growing popularity is the one provided by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) in the Generally Accepted Privacy Principles (GAPP) standard [23]: The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information. At the end of the day, privacy for us is about the confidentiality of the personal information provided to data subjects by organizations. Integrity and availability are out of scope for our research. Like privacy definition, there is no universal consensus about what personal information represents. For the purpose of this research, we will use the EU Directive 95/46/EC definition [24]: Personal data shall mean any information relating to an identified or identifiable natural person known as data subject. Sensitive personal data is data related to a data subject s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life Data privacy laws Across the globe, the legal and regulatory requirements for data privacy goes from strictly enforced to non-existent. In Europe, privacy is considered a basic human right and cannot be separated from someone s personal freedom. The European Union Data Protection Directive is principle-based, where personal data processing is only possible according to the statutes of this directive. In other countries such as the United States, activities of personal data processing are generally considered legal unless specifically prohibited by jurisdiction state or federal regulations. The U.S. regulatory environment is a complex combination of sector-specific federal privacy laws, state-specific laws, and other laws and regulations. The approach reflected by the Asia Pacific Economic Corporation (APEC) Privacy Framework is established also as best practices for organizations operating within these economic areas. Unlike the EU Directive, these guidelines are not mandatory [17]. Within the EU, the rules regarding protection of personal data are described in the Article F of the Treaty of the European Union, Article 7 of the European Charter of Fundamental Rights, Article 8 of the European Convention on Human Rights, the European Directive 95/46/EC4 (DPD) and the European Directive 2002/58/EC5. The principles of these texts have been further refined and explained in numerous other documents, e.g. the Opinions and Recommendations adopted by the Article 29 Working Party, the advice organ of the European Commission regarding privacy [25]. Directives do not automatically become law in Member States. Each State has to pass its own national law to implement a directive. This means that there can be variations between the national laws and the time of implementation. Directive 95/46/EC should have been executed by all Member States by October 1998 [26]. On the 6 th of July 2000 the Senate for the Netherlands approved the Personal Data Protection Act ( Wet bescherming persoonsgegevens, WBP), ( the Act ). The Act implemented the Directive and came into force on the 1 st of September 2001 [26]. This law replaced the Wet Persoonregistraties (WPR) [27]. The College Bescherming Persoonsgegevens (CBP) is formally charged with supervision of compliance with the WBP [28] European directive 95/46/EC We have used the European Directive 95/46/EC as a reference for our framework since it is the foundation for all the privacy laws in Europe, including the Dutch one [ ]. The DPD sets out a Thesis IT Audit: SaaS Data Privacy

20 Chapter 2: SaaS and Data Privacy number of basic requirements for the lawful processing and acceptable use of personal data. The Directive itself is too abstract and too complex to directly generate technical specifications. The articles of the Directive 95/46/EC have been translated into principles [29-32]. These principles can be summarized as follows: Data quality: processing of personal data must comply with quality requirements. Quality means that the personal data are adequate, relevant, not excessive, correct and accurate in relation to the purposes for which they are collected and subsequently processed. Personal data should not be kept longer than necessary. Legitimate processing: the processing of personal data is fair and legitimate provided adequate grounds are satisfied. Transparency: data subjects must be informed about what is done with their personal data. The data subject s rights: persons whose data are collected have a number of rights among others the right of access, rectification, erasure, blocking and objection. Confidentiality and security: the controller is under the obligation to implement appropriate technical and organisational measures to protect personal data against loss or any form of unlawful processing. The measures guarantee, having regard to the state of the art and the costs of implementation, an adequate level of security. The adequacy of the level of security depends on the risks involved in the processing and the nature of the data. The measures also aim at preventing unnecessary collection and further processing of personal data. If processing is outsourced to a processor, it must be ensured that he will observe the instructions of the controller. Notification: the processing of personal data must be reported in advance to the Data Protection Authority or a privacy officer (where applicable), unless the processing system in question has been exempted from notification. Transfer to third parties: without prejudice to compliance with the act, additional rules apply to personal data which are subject to processing or which are intended to be processed in another country outside the European Union after being transferred. These data transfers are subject to rules. The EU Directive distinguishes between data controller and processor [17-29]: The data controller: is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or community laws or regulations, the data controller or the specific criteria for his nomination may be designated by national or community law. It is the data controller, the SaaS Service Customer (SSC) in our case, that is responsible for implementing an effective mechanism and, therefore, ensuring that its use of third-party service providers (such as SSPs) does not violate the law. The processor: is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller. The processor in our case is the SaaS Service Provider. If a SaaS Service Provider does not have the authority to make decisions regarding the processing of data (e.g., acting only on instructions from the data controller), it is not subject to the same strict rules as the data controller. 12 Thesis IT Audit: SaaS Data Privacy

21 Chapter 2: SaaS and Data Privacy Table 1 shows a high level description of the obligations of the data controller (column 1), the details of the EU Directive article from which the obligation has been derived (column 2) and the data protection principle (column 3) [30]. Data controllers must: Comply with administrative formalities before the data protection authority (i.e. notification). Relevant articles DPD Principle 18, 19, 20, 21 Notification Inform the data subject of the processing. 10, 11 Transparency Make sure data is collected (and subsequently used or further communicated) only for specified, explicit and legitimate purposes. 6.1.b Data quality - Purpose limitation Keep personal data no longer than necessary. 6.1.e Data quality - Retention Make sure personal data is accurate and, where necessary, kept up-to-date, and make sure the data is adequate, relevant and not excessive in relation to the purposes for which they are processed. 6.1.c, d Data quality - Quality of data and proportionality Respect the data subjects rights. 12, 13, 14, 15 Rights of data subject Make sure processing is fair and that there is a legitimate ground for processing personal data. Secure the data and take technical and organisational security measures that are appropriate to the risks (against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access) entailed by the processing. And: Make sure that any person acting under the authority of the data controller (including the processor) processes the personal data only upon, and according to, instructions provided by the data controller. Data controllers can: Process sensitive personal data and / or a national identifier number or any other identifier of general application: If so, the data controller must make sure there is a legitimate ground for processing personal data. Outsource data processing operations: If so, the data controller must make sure that any person acting under his authority does not process the personal data except on instructions from the data controller. Make decisions by automatic means: If so, the data controller must make sure there is sufficient ground to do so and must give the data subject the opportunity to discuss the results of a relevant automated decision with a representative of the party making such decision or otherwise to make representations to that party. Transfer data to third countries. If so, the data controller must ensure that adequate safeguards are put in place in the third country to ensure law compliant processing of the 6.1.a, 7 Legitimate processing 16, 17.1 Security and confidentiality Relevant Principle: articles DPD 8 Legitimate processing - special categories of personal data 16, 17.2/3/4 Security and confidentiality - Processor 15 Rights of data subject 25,26 Transfer of personal data to third countries Thesis IT Audit: SaaS Data Privacy

22 Chapter 2: SaaS and Data Privacy Data controllers must: transferred data. Relevant articles DPD Principle Table 1 - Data controller obligations according to the DPD Privacy challenges for SaaS services The growing popularity of SaaS has a significant impact on data privacy. There are additional security and privacy issues raised when customer s data is located at the SaaS vendor. The first key aspect of SaaS is that there is usually an infrastructure shared between different customers. Therefore, there are threats associated with the fact that the data is stored and processed remotely, and there is an increased usage of virtualization and sharing of platforms between users. Protection of confidential and sensitive data stored in the SaaS provider infrastructure is for that reason extremely important. Another key aspect of SaaS is the fact that it is usually web based. The SaaS provider delivers the service over the Internet. Cryptography and network security are very important to provide confidentiality to the data-in-transit of their customers. Another feature of SaaS is the complex and changeable environment, where service interactions can be created in a more dynamic way than traditional scenarios. In such scenarios, confidential data may move around within an organization and across organizational boundaries, so adequate protection of this information must be maintained despite the changes. The table 2 shows the most important risk areas regarding privacy for SaaS services. Risk area Access Storage Retention and Description The SaaS provider delivers the service over Internet. Secure transmission (e.g.: encryption), secure web services, adequate Identify and Access Management (IAM) and network security are key aspects to prevent the customer s data from being intercepted during transmission. In the cloud, the main concern is the organization s ability to provide the individual with access to all personal data. Data segregation is one important aspect to take into account with SaaS services. Data from one customer should not be mixed with data from another one. A fact like the infrastructure is shared between different customers or the usage of virtualization and sharing of platforms between users have a significant impact regarding data segregation. With virtualization data separation is logical, not physical, as was done previously, and there are valid concerns about the adequacy of that logical separation. In the cloud, the main concern is also where the data is stored. Privacy laws in Europe countries require additional measures to be taken when organizations transfer certain types of personal information to other countries outside the EU. When the data is stored in the cloud, data transfer to other countries may occur without the knowledge of the organization, resulting in a potential violation of the local law. Data subjects have the right to know what personal information is collected and they can make a request to stop processing it. If a data subject exercises this right to ask 14 Thesis IT Audit: SaaS Data Privacy

23 Chapter 2: SaaS and Data Privacy Risk area destruction Compliance Description the organization to erase his data, it should be possible to ensure that all of his information has been erased. How long personal information is retained and which retention and destruction policies govern the data are key aspects for privacy. The question here is how the SaaS provider destroys customer data at the end of the retention period and how organizations ensure that their data is destroyed by the SSP at the right time. Another point is how the customers know that the SSP did not retain additional copies. This includes also backups and remained data in the virtual servers. Virtual storage devices can be reallocated to new users without erasing the data, and then allocated to new users. Personal information stored in these devices may now be available to the new user, potentially violating the law. In the cloud, the main concern is who enforces the retention policy and how are exceptions to this policy managed. Cloud storage providers usually replicate the data across multiple systems and sites - increased availability is one of the benefits they provide. This benefit turns into a challenge when the organization tries to destroy the data: can you truly destroy information once it is in the cloud? Did the SSP really destroy the data, or just make it inaccessible to the organization? Is the SSP keeping the information longer than necessary so that it can use the data for its own use? The question here is to know how organizations can monitor their SSPs and how they obtain assurance that their privacy requirements are met by the SSP. In the cloud, the main concern is to know how to monitor and how to report the activities in the cloud. Cloud storage providers usually replicate the data across multiple systems and sites. This turns into a challenge when the organization tries to monitor the data: can you truly monitor information once it is in the cloud? Table 2 - Key privacy concerns for SaaS services Based on the literature study and the interviews performed, we arrived to the risk levels presented in table 3. This table shows the level of risk (H - High; M - Medium; L - Low) associated to the privacy concerns above mentioned related to the different SaaS data architectures (refer to section 2.1.7). Risk area Own Hosting Managed Hosting Cloud Hosting IDb IDg SDg IDb IDg SDg IDb IDg SDg Access L M H M M H H H H Storage L M H M M H H H H Retention & Destruction L M H M M H H H H Compliance L M H M M H H H H Table 3 - Privacy concerns related to SaaS architectures 2.3 SaaS data privacy framework In this section we present the SaaS data privacy framework to answer the second research subquestion: which aspects should the SaaS providers take into account in their contracts to provide assurance to their customers regarding data privacy? Contract and legal agreements have always existed between software providers and their customers, based around the software applications that software vendors sell. When a SaaS based software delivery model is used, the software vendor is in control of the software applications and customer data rather than the customer. The contract of a customer with a SaaS provider should define the Thesis IT Audit: SaaS Data Privacy

24 Chapter 2: SaaS and Data Privacy requirements regarding information privacy of the customer. It may cover the specifications and performance of the service regarding data privacy, the entity responsible for taking measurements of these specifications and the penalties for data privacy failure. In this section we propose guidelines regarding privacy for SaaS customers when purchasing and using SaaS services based on the identified privacy risks for SaaS services and the relevant articles in the DPD. The framework focuses on the certainties that the SSP should provide to the customers in their contracts regarding privacy. For each of the principles this section contains: 1. A high level description of the principle. 2. Reference to the relevant articles in the EU directive Data Protection Directive (EC95/46). 3. The SaaS customer responsibilities and the activities they should perform to guarantee that the privacy requirements are met. 4. The certainties that the SaaS provider should offer to their customers in order to assure that the customer privacy requirements are met. - Data quality Description of principle: Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not be further processed in any manner incompatible with those purposes. Proportionality - Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed. Quality of data - Personal data must be accurate and, where necessary, kept up-to-date. Retention - Personal data shall not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Relevant articles: DPD 95/46/EC art. 6.1.b (purpose limitation), c (proportionality), 6.1. d (data quality) and 6.1.e (retention). SaaS Service Customer responsibilities: Purpose limitation - customer should determine for what purpose the data is collected and is processed. This purpose should be formulated in specific terms. Proportionality - customer should determine and ensure that the personal data processed is adequate, relevant and not excessive in relation to the purpose for which it was collected and processed. Quality of data - customer should determine the measures to be in place to make sure personal data is accurate, complete and up to date. Retention - customer should determine how long personal data will be kept after the data is no longer necessary for the purpose for which the data was collected and processed. The length of data storage also depends on the applicable laws regarding the type of data that is processed. SaaS Service Provider certainties: Purpose limitation - The SaaS provider should comply with the customer requirements regarding personal data processing so that it is not incompatible with the customer purposes. The question here is to know how the SaaS Provider ensures that the data is only processed according to the terms described in the data processing agreements with the customer. SaaS vendor should guarantee that the application works as it is specified to achieve the purpose limitation goals. These guarantees by the SaaS provider regarding the purpose limitation principle should be included in the agreements. Proportionality - N/A Quality of data - N/A 16 Thesis IT Audit: SaaS Data Privacy