Data protection in the cloud

Whether you like it or not, somebody in your company may already be using cloud-based applications - and you might not even be aware of it. Even when the CIO says "no" to cloud, many line-of-business leaders subscribe to cloud services on their own.

As Jim Reavis, executive director of the Cloud Security Alliance puts it: "Cloud computing might be seen as a sort of revenge of the business unit. The business unit may not be seeing enough responsiveness from the IT department in getting the systems they need. Now they just bypass IT and go directly to providers. Even in highly regulated financial institutions, with very tight controls, sales departments dealing with wealth management are using services such as salesforce.com on their own."

This behaviour is problematic for UK organisations for one big reason. The internal workings of a cloud service are such that it’s not always easy to know in which country data is stored. And when data is stored outside the UK, one runs a higher risk of violating the Data Protection Act.

Furthermore, according to the UK’s Information Commissioner’s Office (ICO): "In cloud computing it will be the cloud customer who will determine the purposes for which and the manner in which any personal data are being processed. Therefore it is the cloud customer who will most likely be the data controller and therefore will have overall responsibility for complying with the DPA."

This guideline holds true even when, for example, a sales manager uses a public cloud service such as customer relationship management (CRM). The commissioner’s office says:

"When using a public cloud, the ICO recognises that a cloud customer may find it difficult to exercise any meaningful control over the way a large (and perhaps global) cloud provider operates. However, simply because an organisation chooses to contract for cloud computing services on the basis of the cloud provider’s standard terms and conditions, does not mean that the organisation is no longer responsible for determining the purposes for which and manner in which personal data is to be processed. The organisation will continue to be a data controller and will be required to meet its obligations under the DPA."

In response to the ICO guidelines, Francesca Fellowes of global law firm Squire Sanders says, "A move to cloud services is likely to increase, not reduce, the need to protect personal data. This is because cloud computing utilises layered services (where different aspects of a service, such as hosting and development, are provided by a number of different providers) and allows for services to be provided from a variety of different locations, including from outside the UK. Cloud computing also allows for a multi-tenancy environment (where a cloud service provider acts as a data processor for a number of cloud customers). It is these characteristics of cloud computing which lead to increased efficiency and cost savings. It is also these characteristics that make regulatory compliance more challenging and increase legal risk."

To appreciate how easily an organisation can wander into a legal mine field consider the following simple example. Company X provides software as a service (SaaS) to the end user. To minimise their own exposure to fluctuation in demand, company X may use platform as a service (PaaS) offerings from company Y. In turn, company Y may subscribe to infrastructure as a service (IaaS) from company Z.

Related:

The end user may not know about companies Y and Z. What’s more, since company X is operating in a competitive market, they probably swap suppliers from time to time to get better prices. So even if end users start out knowing the country where their data is stored, they can’t always be sure the data stays in that country.

UK organisations have to pay particular attention in cases where data may be stored in the United States, which happens to be the world’s most developed market for cloud computing. The US is not on the "White List" of countries the European Union recognises as implementing adequate data protection standards.

In an attempt to allay fears, the US Department of Commerce issued a statement earlier this year to clarify how the Safe Harbor data protection agreements between the US and the EU applies to cloud computing. The view of the US Department of Commerce is that, as long as companies in the value chain agree in writing to provide at least the same level of data protection as is required by the Safe Harbor standards, compliance is ensured.

Many IT directors express other concerns when considering the cloud model.

Subscriber concerns

According to strategy consultant John Rhoton, author of Cloud Computing Architected: Solution Design Handbook: "Almost all the obstacles people imagine when considering cloud computing are based on some aspect of security. You have the broadest questions:

"Is my data encrypted at the data centre? Is my data encrypted between me and the data centre? Can anybody at the cloud provider hack into my data, whether it’s an employee of the cloud provider, hackers or other tenants?"

Rhoton points out that discussions on fundamental security questions frequently become emotional. But organisations that take a step back usually come to the conclusion that most cloud providers are experts at security, having to deal with the issues every day. Since few enterprises have the skills to match the cloud providers’ expertise, by going to the cloud, you probably wind up safer.