Earlier in the year Quocirca was asked a surprising question along these lines: “If we use a cloud-based storage service and there is a leak of personal data, who is responsible, us or them?” Make no mistake, the answer is, that regardless of how and where data is stored, the responsibility for the security of any data lies with the organisation that owns it, not its service providers.
In general terms, regulators are mainly concerned about personal identifiable data (PID). In the UK, the Data Protection Act (DPA) requires any company that processes PID to appoint a data controller to ensure the safe processing and storage of such data. The controller should indeed be wary of cloud-based storage services when it comes to compliance with the DPA and EU Data Protection Directive, which is being updated this year.
As was pointed out in a previous Quocirca blog post “The highly secure cloud”, this is not because cloud storage services are inherently less secure; indeed in many cases such services are likely to be more secure than internally provisioned storage infrastructure. The danger comes from how such services are used. There are four main use cases that data controllers should be wary of:
1 – Storage provided as part of an infrastructure-as-a-service (IaaS) offering. Here the provider is simply providing a managed storage facility. As long as the provider is well selected, then the base infrastructure should be more than secure enough; it will be how it is used that matters and that is down to the buyer of the service. There are two caveats:
- The EU Data Protection Directive requires that personal data is processed within the physical boundaries of the EU (unless covered by a safe-harbour agreement).
- Some countries have far reaching laws when it comes to the ability to request access to data, most notoriously the US Patriot Act. Safe-harbour does not protect against this.
So the physical location of the storage facility used must be defined and guaranteed in the contract with the service provider.
2 – Backup-as-a-service. Here the provider takes a copy of your data and promises to restore it should the original be lost. This may be a short-term backup service or a long-term archiving service. The main difference here is the provider is now responsible for selecting where the data is stored, so the service level agreement must again cover physical locations and state that the provider will not use primary or secondary locations that fall outside the compliance boundaries.
3 – Software-as-a-service (SaaS). Here a subscription is made to an on-demand application that will process and store data. Again, it must be understood where data will be stored and processed. Many of the big US-based providers (for example salesforce.com) have safe-harbour agreements with the EU, so it is OK for personal data to be processed and stored in their data centres outside the EU as part of a specific SaaS agreement.
4 – Consumer cloud storage services. These are the most insidious threat and open up a wild frontier, as they are often provided on a freemium basis. They are attractive to users who want to back up their own personal data and access data from multiple devices. However, if business data gets caught up in the mix, the data controller has now lost control. This requires a mix of end-point security, mobile device management, data loss prevention and web access control to be in place that is beyond the scope of this article.
Well provisioned cloud storage services are an inherently safe place to store data. However, data controllers need to understand how they are being used and have clear SLAs in place. If a provider fails to meet an SLA, the buyer can seek compensation, but by then it too late; it is the data controller’s door that the enforcers of the DPA will come knocking on.