The Cloud MiniSeries Part 3: What are the Risks of Cloud Computing?

The Cloud MiniSeries Part 3

What are the Risks of Cloud Computing?

Welcome to Part 3 of The Cloud MiniSeries. Here we will explore the risks of Cloud Computing, including data security and data ownership. Where does cloud data reside? Who can access it? How is it protected?

 

Let’s start with data security. Where does data “on the cloud” actually reside? It turns out the cloud is a collection of giant computers located in warehouses around the world. All data must be physically be stored somewhere. Cloud service providers own mega-warehouses all over the world that are full of hard drives attached to computing systems.The hard drives store data. These warehouses are called “Server Farms”. As cloud service providers have server farms around the world, it is nearly impossible to track where your data is actually being stored at any given time.

“Server-farm” by: laboratio linux, CC BY-NC-SA 2.0.

“Facebook server-farm” by:Jonathan Nimrodi, https://www.cloudyn.com/blog/10-facts-didnt-know-server-farms/

(Interesting fact: Facebook built it’s server farm along the Arctic Circle in Northern Sweden to save costs on air conditioning. As data storage computing uses so much electricity, it generates a lot of heat! Greenpeace has been pressuring more “progressive” cloud service providers to power their facilities with renewable energy and to repurpose the heat generated by their facilities, but few companies have taken the challenge yet).

Once you agree to the Terms and Conditions of using cloud computing, you no longer have physical access to your data. In making this decision, you are trusting that the service provider will safeguard your data from hackers, system failures and physical harm. In 2016 the Cloud Security Alliance (CSA, a highly respected international non-profit concerned with cloud security) reported the top twelve threats to data stored in the cloud:

1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues

(https://cloudsecurityalliance.org/articles/cloud-security-alliance-releases-the-treacherous-twelve-cloud-computing-top-threats-in-2016/)

According to the CSA, cloud computing is relatively safe is not foolproof. There have been multiple cases of hackers virtually burglarizing server farms and stealing personal information including username and password information for hundreds of thousands of users. The CSA recommends all cloud users encrypt their data while storing it in the cloud to safeguard against hackers. Another potential threat is physical harm to a server farm, via natural disaster or intentional destruction. To avoid data loss due to physical destruction, most service providers replicate user’s data and store it in two or three different locations around the world.

 

Let’s talk about data ownership in cloud computing. Once you release your data into the cloud, do you still own it? To date there are no international laws regarding data ownership in the Public Cloud. The EU is moving quickly to introduce laws that would ensure data ownership is retained by users, but it is unclear how this law will affect service provider practices. Currently, most providers do not address data ownership in their Terms and Conditions Agreements, which is suspicious. Therefore, the issue is a nebulous one. Undoubtedly, this will become a prominent issue in the near future.

 

In sum: Data security and data ownership are complex issues and can be challenging to navigate. If you do plan to use cloud computing to store and process your data, there are a few simple steps you can take to help ensure the security of your data:

• Carefully read the Terms and Conditions of any cloud service provider you are considering using and make sure you are comfortable with the agreement before accepting
• Do not store very important personal information on the cloud (i.e. Social Insurance Number, copies of ID, banking info etc)
• Encrypt your data before saving it onto the cloud
• Back up your important data on a physical hard drive that you own
• Stay informed about cloud computing practices

 

Thank you for reading our Three Part MiniSeries The Cloud! We have learned what cloud computing is, how it works, and things to be aware of when using the cloud. Until next time!

The Cloud MiniSeries Part 2: How does The Cloud Work?

The Cloud MiniSeries- Part 2

How does The Cloud work?

 

“Cloud Computing” by: Sam Johnston, CC-SA 3.0.

Cloud computing can be best understood from two different vantage points: the Cloud Deployment Model (how people can access the cloud), and the Cloud Service Model (the different levels of cloud computing that people can use).

First let’s define cloud service provider: A cloud service provider is a company that offers any or all types and models of cloud computing services to the public. Examples of these companies include: Amazon Web Services, Microsoft Azure, Google Cloud Platform, Apple iCloud.

Deployment Models

Cloud computing has four main Deployment Models that are important to understand. A Simplilearn “Cloud Computing Tutorial” (https://www.youtube.com/watch?v=RWgW-CgdIk0&t=504s)  provides a helpful analogy of travel vehicles to help explain the four deployment models:

1. Public: Cloud infrastructure that is made available to the general public over the internet and is owned by a cloud service provider. The Public Cloud is like a public transit bus- it is accessible and cheap, pay-as-you-go, but you do not have much control over how the bus is built or what route it will take, and you have to share it with other people.
2. Private: Cloud infrastructure that is owned only by one person or organization. It can be managed by this organization or by a third party; and can be local, or remote (managed by a third party cloud service provider). The Private Cloud is like purchasing your own car. There is a huge upfront cost and it is expensive to maintain, however you have increased agency autonomy in every aspect of your journey.
3. Community: Cloud infrastructure that is owned by a group of people or organizations, and that is structured to support specific community needs. It can be managed by this group, but is more likely to employ a third party service provider. The Community Cloud is like taking a taxi with your friends. You are sharing the cost of a semi-private vehicle to take you where you want to go together.
4. Hyrbid: Cloud infrastructure that blends public and private. Some aspects of the infrastructure, software and/or data management is owned by a person or organization while other aspects are owned by a cloud service provider. The Hybrid Cloud is like renting a car- it is not as expensive as owning a car, but you only have partial freedom. Many Federal Agencies use the Hybrid Cloud model, using a Private Cloud to store sensitive data, and employing the Public Cloud to do business and collaborate with other agencies/ organizations.

“Cloud deployment models” by: Arron Fu, https://www.uniprint.net/en/7-types-cloud-computing-structures/

There are also three main types of Cloud Service Models, offered by Cloud providers. Again, Simplilearn provides an analogy of baking a cake to help explain these service models:

1. Infrastructure as a Service (IAAS): provides basic computing infrastructure, like a virtual machine. This is the most complex and involved level of service for the user, as it requires you to build up from the basic infrastructure that is provided. This level of service is usually used by IT administrators and architects.If you were baking a cake with the help of IAAS, IAAS would provide the kitchen, oven and electricity; and you would bring the cake pan, measuring cups, flour, sugar, butter, eggs etc.
2. Platform as a Service (PAAS): provides infrastructure and an interface to program. This service allows you to develop and manage software and applications using a pre-existing infrastructure and platform. This service is usually used by software developers.If you were baking a cake with the help of PAAS, PASS would provide the kitchen, oven, electricity, cake pan and measuring cups; and you would bring the flour, sugar, butter, eggs etc.
3. Software as a Service (SAAS): provides infrastructure, interface and finished application products that you can customize/ use. With this service, the software is already in place and the applications are ready-to-use (ie. gmail, google docs, any application you can access on the internet). This service is used by end customers.If you were baking a cake with the help of SAAS, you would go out to a restaurant where all you have to do it pay and SAAS would provide everything in the form of a baked cake.

“IaaS, PaaS, SaaS – What do they mean?” by: Ensi-Maria, http://cloudonmove.com/iaas-paas-saas-what-do-tean/

To sum up: Cloud computing is a spectrum internet-based data management services. These services are available in a spectrum ranging from public services at low costs to private services at higher costs (Deployment Models). Organizations can also have varying levels of control over their cloud management depending on their expertise and specific needs (Service Models).

 

The Cloud MiniSeries Part 1: What is “The Cloud”?

The Cloud MiniSeries- Part 1

What is “The Cloud”?

“High Above the Cloud, the Sun Stays the Same” by: Wing-Chi Poon, CC-BY 3.0.

I first started hearing about The Cloud a few years ago in casual conversation: peers were increasingly making comments like “Why don’t you just save it to The Cloud?”. But what exactly is The Cloud? How does it work? What are the benefits and cautions of using it? Who does it serve, and how? Is The Cloud safe? I will explore these questions in a three part MiniSeries about The Cloud. Welcome to Part One: What is “The Cloud”?

What is The Cloud?

The Cloud refers to the myriad of services offered via “cloud computing”. So, what is cloud computing then?

Cloud computing is the practice of using a network of remote servers hosted on the internet to store, manage and process data- rather than using a local server or hard drive. Services are accessed on-demand and are pay-as-you-go.

This means that instead of having to set up and maintain your own computing infrastructure, platform, software and applications, you can access all of these services on the internet.

As the internet becomes an increasingly utilized method of communication and collaboration among individuals and organizations around the world, cloud computing has developed as a practice that allows organizations to avoid setting up their own computing infrastructure to process, share and store their data. Through cloud computing services, organizations can use another company’s infrastructure, platforms and applications to organize, process, share and store their data- for a fee.

Consider this: if an organization like a business were to provide themselves with the same services that the cloud offers, they would have to physically build the computing infrastructure which would be expensive and take up space. They would have to hire an IT team to design, create and manually operate their platform and software, which would also be expensive. The business would have minimal flexibility with sharing data because their infrastructure and platform would be isolated, and may not be compatible with other software. Finally, if their infrastructure broke for some reason, it would be impossible to recover data because it would be physically destroyed.

To sum up: cloud computing offers a service of convenient internet-based data processing and storage at a lower cost than consumers can develop for themselves.

It should be noted that there are some risks and drawbacks to cloud computing, which I will discuss in Part 3 of this MiniSeries.

Are Teachers Gaffing with GAFE?

“Google” by Nick Youngson CC BY-SA 3.0

Google Apps for education (GAFE) is Google’s education productivity targeted services providing customized versions of multiple Google products (e.g., Gmail, Google Calendar, Docs, Sheets, Slides, Play, News etc.). They are primarily a core suite of communication and collaboration applications enabling teachers and students to work from any device on collectively held projects and documents.They are offered free to schools and educational institutions and are being utilized widely.

Google provides the following steps outlining the use and benefits of GAFE:

• Once a school registered email address is registered with Google Apps for Education, teachers and students can unlock Google’s apps with one login.
• An “office suite” of tools – Docs, Sheets, Slides, and more – that offers the ability to work from any device as well as share and collaborate.
• Because all Google Apps save to the cloud, teachers and students gain the flexibility to work from any computer or device.
• Students and teachers can seamlessly save work and collaborate both synchronously and asynchronously.

But wait, what is that third point involving everything being saved to the cloud?

Cloud computing, defined by the Office of the Information & Privacy Commissioner in their document relating cloud computing to FIPPA is:

• “the practice of using the Internet to process,
• manage and store data on remote network services––now permits individuals
• to perform traditionally private activities on the Internet. This computing
• trend is fueling a mass migration of information, once stored on the hard
• drives of personal computers, to remote servers in a domain controlled by
• online service providers.”1
• 1 Nied, “Cloud Computing, the Internet, and the Charter Right to Privacy: The Effect of Terms of
• Service Agreements on Reasonable Expectations of Privacy” (2011), 69 The Advocate 701 at 706.

So where does this storage of data happen?

In the case of Google, it is stored outside of Canada.

Why is that important?

Because according to FIPPA:

• “In addition to the requirement for public bodies to protect personal information no
• matter where it is, FIPPA also requires public bodies to ensure that, subject to three
• exceptions listed in s. 30.1 of FIPPA, personal information is only stored in and
• accessed from inside Canada.5 This presents an issue for public bodies because
• currently, many companies that offer cloud computing store information outside of
• Canada.
• Public bodies must consider s. 30.1 of FIPPA when making decisions about whether
• to store personal information in the cloud. With limited exceptions as set out in
• FIPPA, personal information, including information in computer logs and on backup
• tapes or drives cannot be stored or accessed outside of Canada. Under FIPPA, it is
• an offense to store or allow access to personal information outside of Canada unless
• it is authorized”
• 5 In 2009 the BC Government made a submission to a special committee of the Legislative Assembly
• that the prohibition on storage and access outside of Canada should change. The Committee’s
• subsequent report did not endorse this recommendation but it acknowledged the challenges public
• bodies face as a result of this requirement. Complete information about the Committee, its report
• and all submissions received are available online at http://www.leg.bc.ca/foi/.

This poses the question to school administrators and educators that are using GAFE, do they have an adequate understanding of the personal information that they might be collecting through GAFE applications both intentionally and unintentionally?

While I personally have used some of the GAFE applications and acknowledge their great benefits, I have also observed their misuse in the classroom in regards to being mandatory for student participation and involving the submission of personal data that have not been correctly managed through consent acquisition and in regards to being stored outside of Canada. For these reasons I think it is paramount that teachers gain an understanding of the FIPPA guidelines and that these guidelines should be translated into a more comprehensive resource package.

Are Big Digital Corporations Changing their Views on Privacy?

“Internet Security Padlock for VPN & Online Privacy” by Mike MacKenzie, CCBY 2.0.

At a recent conference on digital privacy in Brussles, keynote speaker Tim Cook (CEO of Apple) gave an ardent speech calling for new digital privacy laws in the USA. In his speech he warned that the amounts of personal data being mined are detrimental to our contemporary society.

Cook touched on four important rights and posed challenges to corporate companies:

1 – That companies minimize the personal data they collect on customers,

2 – That users have the right to know what data is being collected on them,

3 – Companies recognize and acknowledge that data belongs to the users and therefore users should readily be able to access, correct, and delete their personal data and,

4 – The right to security for all users

While this rhetoric is not new for Apple and by stating his commitment to privacy he is implying their competitors’ lack of (he has previously been critical of Facebook and Google’s business model of collecting personal data for advertising purposes), his commitment to privacy law development is being touted by some as a sincere call to action. Apple has recently unveiled expanded privacy protection measures allowing users to view and download all personal data held by Apple (https://techcrunch.com/2018/10/17/apple-privacy-pages-data-access-requests/). On the other hand critics have called it a “cynical joke” (https://www.thestreet.com/technology/tim-cook-recasting-apple-as-privacy-warrior-14761482) are pointing out that this is just a public shaming of rival companies and that despite this, Apple indirectly benefits from Google’s business, being paid as much as $9 billion this year for Apple to make Google its default search engine on many i devices (http://time.com/5433499/tim-cook-apple-data-privacy/).

Even more recently, Microsoft’s CEO, Satya Nadella, gave a similarly themed speech supporting user digital privacy as a ‘human right’ (https://bgr.com/2018/11/01/microsoft-ceo-privacy-speech-human-right/).

While these announcements are encouraging at face value, they are met with scepticism and suspicion by many. While the stories develop and the business community reacts users can only hope that rhetoric eventually translates to laws and that those laws are followed.

Data Mining in the Classroom?

There is an old saying “If you are not paying for something, than you are the product.” This sparks the question: What is the advantage to Google for providing a suite of free educational services for students, teachers and parents across North America? What is Google getting out of it? In this post we will explore data mining in the classroom: is it happening? If so, what kind of data is Google collecting? How are they getting it? Is it legal? Are consumers/users aware of what data is being collected and how it is being used? For this post, we will focus on Google, since Google Apps for Education (GAFE) are the most popular classroom apps in North America today (https://news.elearninginside.com/g-suite-education-mining-student-data-matter/).

 

In 2015 the Electronic Frontier Foundation (a prominent digital privacy watchdog based in California) filed a complaint with the Federal Trade Commission against Google for collecting and data mining school children’s personal data via GAFE. They accused Google of collecting and storing student’s personal information, likely for advertising or resale purposes. They also accused Google of providing schools with free, low-quality Chromebooks that have the Sync setting on, which allows Google to store detailed browsing information and connect it to student IDs.  (https://www.theverge.com/2015/12/1/9832210/eff-google-student-privacy-pledge-ftc-complaint). They noted that the synced Chromebooks are of particular concern because parents do not have the option to consent to their children using Chromebooks in the classroom (and in some schools their use is mandatory).

Google responded to the allegations by renewing their vow to the “Student Privacy Pledge”- a legally binding pledge intended to “safeguard student privacy regarding the collection, maintenance and use of student personal information” (https://studentprivacypledge.org/privacy-pledge/); and stated “we provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures” (https://news.elearninginside.com/g-suite-education-mining-student-data-matter/).

In 2017 Google was charged again with misuse of private student information and was not reprimanded legally. (https://news.elearninginside.com/g-suite-education-mining-student-data-matter/).

 

So it seems like the answer to our question is: yes, Google can collect data on students via Educational Apps in the classroom. The new question for teachers and students concerned about their digital privacy is if Google (or any other company) is collecting data from the classroom at any given time. If so, which data they are collecting, and what it is being used for? It is problematic that it is nearly impossible for regular people to find answers to these questions, especially in a timely manner.

 

Understanding that using corporate Educational Apps in the classroom can be a risk to student privacy opens up a whole new set of questions for teachers looking to find convenience in the classroom. We will explore more of these questions in our upcoming blog posts- stay tuned!

FIPPA Fact Sheet

So what exactly is FIPPA? Below is a bit of a Fact Sheet we distilled form the hefty legal documents down to something more manageable and informative. Hopefully it can be useful. If you require deeper knowledge or more detailed information, check out the link to the comprehensive document.

• British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) sets out the access and privacy rights of you, as an individual, as they relate to the public sector. It’s actually one of several privacy laws that apply in BC including the Personal Information Act (PIPA), the federal Privacy Act, and the Personal Information and Electronic Document Act (PIPEDA).
• Under FIPPA, you have the right to expect that public bodies will collect and use your personal information appropriately and lawfully. You also have a right to:

o   access your personal information;

o   request correction of your information if it’s inaccurate;

o   consent to the collection, use and disclosure of your information; and

o   complain to the Information and Privacy Commissioner if you believe your privacy has been breached.

• Personal Information = all recorded information about an identifiable individual (e.g., info on where you live, but not info on where you work)
• When your information is collected, you must be informed.
• Your personal information can only be used for the purpose for which it was collected and cannot be stored and used for something else later.
• Your information may be disclosed under various circumstances (some common examples are to law enforcement agencies and government bodies and for health and safety reasons).
• The entities that have collected your information are required to protect it from unauthorized access, collection, and use. In addition, there are restrictions on the storage of information outside of Canada and this often requires your consent. Quite often popular “cloud-based computing” services are outside Canada.

o   What are examples of outside Canada, cloud-based computing? Facebook, SurveyMonkey, Dropbox and Gmail are a few examples.

Now, as an educator, consider this list again, but everywhere the list refers to ‘you’ insert ‘your student’ and everywhere it references the entity that is collecting the information – this is you and chances are the school you work for is very much in the public sector.

Do you feel you are informed enough to fulfill the lawful duties of the collector of others’ personal information?

If not, please read the upcoming tech posts.

 

An Exploration of Corporate Classroom Apps

For my tech inquiry project I will be delving into questions about the use of classroom facilitation apps in schools. I am particularly interested in the Big Three: Google Classroom, Apple Classroom and Microsoft Classroom. These apps are clearly advantageous to some teachers who use the software to organize and facilitate their classrooms, but is there more to the story? What’s in it for the app creators (considering the apps are free)? What are the motivations and intentions of Google, Apple and Microsoft? Are they collecting data on students and teachers? What are the praises and criticisms of each app? Do they perform their tasks well? Do these apps guide teacher’s and learner’s ways of thinking and understanding the world in any way (subtly or not)? How are Google, Apple and Mircosoft getting into the classroom? Who is most successful to date?

These are some of the questions I will endeavour to answer over the course of this term, and likely beyond. Feel free to come along for the ride!

Photo: Pintrest