The Information Commissioner's Office (ICO) has warned businesses that they are still responsible for the safety of the data they own - even when that data is in the cloud. The regulator put out guidelines today for businesses on keeping data safe in the cloud. Dr Simon Rice, ICO technology policy advisor, hammered home the …
my employer, by nature of their business is very conservative, and thanks to my highlighting of the particularly draconian nature of the PATRIOT act has wisely steered well clear of cloudy fumbling. However it's worrying that colleagues with other organisations report differently.
I just hope they don't wake up one day and find all their data gone a la Megaupload, because the feds slapped a writ on their data centre.
Surely the first and foremost requirement should be that the disks your cloud VMs use are encrypted. Same for the backups being shipped elsewhere. A piece of paper such as a contract or an SLA should not be any defence against not taking reasonable precautions. "But my could provider assured me it's safe!" should not be a viable defence where the data wasn't encrypted.
encryption really should go without saying. However, "data security" isn't just about controlling access to the data. It's also about ensuring the data is there when you need it. It's no comfort to you, if you have clouded your HR and payroll (for example) and then discover your provider has gone bust, not paid their bills, and your data is now so much dead electrons.
We live in interesting times. IT is finally living up to it's name of *Information* technology, and provision of resources for IT is starting to be viewed in the same way as physical infrastructure - roads, water, electricity - where companies just hook up and go.
All I can say is that this is obvious that it is still their responsibility (and accountability).
Just because something is outsourced/off-shored/clouded doesn't mean that responsibility is similarly outsourced/off-shored/clouded. Quite the opposite: it means that you now have more responsibility as you now need to ensure that it is all being managed correctly.
Otherwise you end up with the equivalent of CDS/exotics packages that started the Credit Crunch: toxic SLAs, managed by incompetents, wrapped up in good SLAs etc etc.
For example, what if your cloud provider decided to outsource their administration to G4S?
Re: Delegating responsibility
Agreed. Should be totally obvious and my eyes are widely open to risks of the cloud. Shame so many CIO and CTO's are not. Speaking specifically of personal/commercial or sensitive information :
If it's a true cloud service then you don't know where your data is being stored, in what country or in what legal jurisdiction. In those cases a business has no place to use it in light of their data controller responsibilities.
if you do know where your data is being physically stored and hosted from, then that isn't cloud anyway - that's called Managed Hosting.
I do give credit to the ICO for almost doing something useful for once by pushing this message.
would be funny but
This from a government that shipped all our data off to another country and all I get are the lousy sales calls.
The one that approved all our utilities data going off to hotter climes where apparently they can't cope with the idea that a bill which four times the average bill and my historical bill due to their data entry error is perfectly acceptable and should be paid in full immediately.
And then . . .
. . . where does your cloud storage provider store *their* backups?
Our company recently moved our internal HR systems to another part of the world (Canada), ue to a part of the company working their and having closer ties to our HR system provider - but that means all of our personal data is now in Canada.
I queried this at the time, but apparently Canada are considered as vigilent as a European company and conform to the European laws regarding personal data, so that was ok.
However, the backups are kept in the USA, which doesn't conform to European laws. What they have is something called "Safe Harbor" (sic), which is a *voluntary* code that they sign up to, but has no legal backing.
Apparently as a company we were ok with that . . .
Re "encryption really should go without saying"
It should, of course. Except that although one of the widely recommended backup services is using encryption, it is apparently only encrypted while in transit and gets decrypted again once it arrives at their server. It is, nevertheless, misrepresented as an encrypted service and the service provider deliberately fails to point out that its not actually stored in encrypted form.