Where Is My Data? (Part 3)
To read the preceding section of this article, click here.
Cloud is too important a technological offering to ignore and whilst there are undoubtedly a number of considerations to address, none are insurmountable. Cloud technologies offer a great benefit when used in the right areas and for the right reasons. As cloud becomes more mature and providers more sophisticated there will be accelerated adoption, and more consistent answers and clarity to questions from customers.
So what approach can and should you take in your security diligence to adopting a cloud solution in the area of data, sovereignty and privacy?
Gartner has defined six rights of a cloud customer being:
- The right to retain ownership, use and control one’s own data
- The right to SLAs that address liabilities, remediation and business outcomes
- The right to notification and choice about changes that affect the service consumer’s business processes
- The right to understand the technical limitations or requirements of the service up front
- The right to know what security processes the provider follows.
- The responsibility to understand and adhere to software license requirements
These are a good start as a high-level foundation and basis for what you should look to adhere to in adopting cloud services, possibly from vendors you have not dealt with previously. Businesses wishing to use cloud computing and concerned about data issues should conduct a risk analysis encompassing what data will be stored or pass through the cloud service, the importance and confidentiality of the relevant data, any relevant EU, local or industry segment data protection rules to be complied with and your own internal receptiveness to where data be stored and what comfort you require from the chosen cloud vendor.
All European cloud providers should provide clients with all the necessary information to openly assess the relevant service, including clarity of where they will store the client’s primary and backup data, which data laws will apply, who is deemed the data controller and what data liberation terms are in place to ensure easy retrieval and removal of your own data should/when you choose to exit the cloud service.
As a client you should select a cloud provider that guarantees compliance with EU data protection legislation and many articles have suggested going further if dealing with a US vendor. Suggestions include the recommendation that you should verify that the cloud provider will guarantee the lawfulness of any cross border international data transfers with your data. They go as far to suggesting you ask the US vendor who is providing cloud services to you in the EU, to state clearly in their terms with you that “under no circumstances will the data you provide us leave the EEA, even from a request under the USA Patriot Act”. Whether they will comply with your request or not you should ask for clarity on what contractual service terms they have to protect you and then make a decision on your business’ receptiveness as to whether those on offer are enough in relevance to the data type you will hold in their service.
Cloud is here to stay in all its forms and security, whilst an important consideration, is not a mandated prohibitor. As with any solutions there is diligence to be done and cloud is not inherently less secure – and in many cases will be more secure than internally provisioned infrastructures. Well-provisioned cloud services can deliver a range of great advantages including greater security, more resilience, ease of mobile user support, flexibility, reduced costs and a greater user experience. However as a business you need to understand your local responsibility as a data controller and ensure you have clear service contracts and SLAs in place to bring you the protection you require to operate safely and securely whilst taking benefit of the great advances cloud solutions can bring your business, users and customers.
This article originally appeared in Outsource magazine Issue #35 Spring 2014.
About the Author