Regulators pull their head out of the cloud

Opinion by Dan Raywood

This week saw the European Commission (EC) and the Information Commissioner's Office (ICO) both release guidance on security within cloud computing.

This week saw the European Commission (EC) and the Information Commissioner's Office (ICO) both release guidance on security within cloud computing.

In the former's case it was about ensuring understanding and giving clarity, as well as harnessing financial benefits, while the ICO's guidance is about reminding businesses of their responsibilities towards personal data as more look to cloud computing.

The ICO said that companies remain responsible for how personal data is looked after, even if they pass it to cloud network providers. The ICO said it is concerned as to how many businesses do not realise they remain responsible for how the data is looked after, even after passing it to the cloud network provider.

Dr Simon Rice, ICO technology policy advisor and author of the guidelines, said: “The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don't meet data protection laws.”

Last year Stewart Room, partner at Field Fisher Waterhouse, told SC Magazine that changes to the Data Protection Directive would include a ‘binding safe processor rule', whereby data owners will not be liable for loss at the hands of a cloud provider.

He said: “If you outsource to a certified business, you will not be liable if they breach your data. I believe that this will be a massive move for the adoption of cloud services by businesses which, until now, have been worried about third-party responsibility and safety in the cloud.”

Paul Ayers, VP EMEA of Vormetric, said that the guidelines serve as a timely reminder of the full extent of organisations' data protection responsibilities, and the dangers that can ensue if data is not managed appropriately.

He said: “Some 'wishful thinking' enterprises believe that leveraging the cloud allows them to wash their hands of the need to secure their data. That is not the case. Companies still need to be able to establish where their data is held and define what data protection policies are in place.

“The cloud offers fantastic advantages in agility and the prospect of cost savings, however, ownership for data security has to stay with the enterprise owning the data, as ultimately that is where the accountability lies. When it comes to sensitive data in the public cloud, the enterprise is ultimately accountable and needs to perform due diligence.”

Steve Durbin, global vice president of the Information Security Forum (ISF), said that the guide acts as a reminder that companies, not service providers, are responsible for protecting data when it comes to the cloud.

“As a result, businesses need to assess the sensitivities of any data before it is moved to the cloud, and ensure that the appropriate security procedures are in place to protect it,” he said.

“We recommend that organisations start by developing a cloud security architecture that specifies how their data will be used, and which incorporates the security controls that will be needed to comply with the latest privacy legislation using features such as real-time auditing, encryption, and identity access management policies.

“Secondly, because cloud computing providers are external suppliers, organisations need to consider a number of key factors when working with these providers, such as who has a right to the data logs, and/or who will ultimately own the information.”

One of the key areas of outsourced cloud computing is being sure that the company you outsource to is as compliant and risk assessed as you are. As the ICO said, businesses remain responsible for compliance with data protection laws, even if the data is looked after by a service provider.

In other related news, the EC issued guidelines on the ownership of data in cloud computing. It said that its new strategy was to create a "single set of rules for cloud computing and increase EU GDP by €160 billion annually by 2020".

The EC said that despite mass usage of cloud computing, whether via social media or storage or by saving office space and reducing the need for in-house IT support teams, the European Union is not yet reaping the full potential of cloud computing, as many businesses are put off by uncertainties over data security or moving data between different cloud providers.

It has proposed a strategy with a single set of rules that will boost the use of cloud computing by European businesses. It said this will: ensure users can move data from one cloud to another or withdraw data altogether; offer an EU-wide certification for trustworthy cloud providers; and likewise launch 'model contracts' for cloud computing that make legal obligations clear. Finally, it has introduced a ‘European Cloud Partnership' between the public sector and industry to identify needs and ensure Europe's IT sector can meet them.

The EC's strategy document includes three key areas where the body will take action: standards; service level agreements; and public sector adoption through a European Cloud Partnership.

David Lingenfelter, information security officer at Fiberlink, said: “This is continued validation that cloud computing is not just a viable technology solution, but a solid foundation for how the internet and communication is going to continue to advance over the coming years.

“With the EC stepping up and adopting this communication ‘towards an integrated cloud computing strategy for the European Union', it begins to open the doors to further adoption of cloud services throughout the EU.”

Michel Robert, UK MD of managed services provider Claranet, said that the report should strongly recommend that cloud providers give their customers a clear understanding of where their data is being hosted and where possible, a choice of hosting their data in local facilities.

“Without clarity on data location it will become increasingly difficult to maintain and grow trust in the cloud. We expect and hope that the European Commission promotes the benefits of, and encourage service providers to use in-country data centres for the territories in which they operate, and to make it transparent to their customers where their data is being stored,” he said.

Vinod Bange, data protection specialist and partner at international law firm Taylor Wessing, said that it was hard to see how the plans come up with fresh solutions to the challenges of cloud computing.

Bange said: “Some measures are welcome, such as certification for security standards and encouraging the EU data protection reforms to 'gather speed'. However, simply pointing to data protection solutions such as binding corporate rules (BCR) as being an appropriate answer provides no silver bullet. The fact is that the journey of implementing a BCR solution from start to finish with the regulatory approval required to give it 'life' can take years to achieve.

“New thinking would have been welcome here, such as allowing cloud BCR solutions to have deemed adequacy earlier in the process – for example as soon as key milestones such as security certification have been achieved. This would provide for more certainty of not breaking data laws much sooner than can otherwise be achieved.”

The announcements this week show that the dilemma of security of cloud computing could finally be coming to an end. There is a recognition from the ICO and EC that it exists and people are doing it, so the next challenge is doing it within a regulatory framework and businesses and users being aware of what they are doing.

The ICO guidelines are simply that, guidelines, but as it is no longer the 'toothless tiger' its advice should be considered. As for the EC, well its plans often have to go through an endless mincing machine and from that, something unrecognisably different may emerge.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events