Cloud computing provides us with many benefits. It allows us to scale services quickly in accordance with demand. Cloud computing enables us to deploy new systems, services, and applications rapidly in response to business needs. It also allows us to outsource certain functions to Cloud Service Providers that specialise in those areas allowing our internal IT departments to focus more on key business requirements.
Finally, another benefit cloud computing provides is to transfer the task of securing our data to providers that may have more skills, specialists, and budget to do so.
However, while providing many benefits, cloud computing also has a number of challenges that need to be considered. One of the keys areas for businesses to take into account is the area of compliance. Many businesses are bound either by laws, regulations, or customer contracts to ensure the data they manage on behalf of their clients is stored and managed under certain conditions. A prime example of this is the European Data Protection Directive, which all Member States within the European Union have transposed into their own local laws.
One of the key principles under the Data Protection directive is that personal data belonging to European citizens cannot be exported to countries outside the European Economic Area, unless those countries have been approved by the European Commission. If the country does not meet those requirements then the company must contractually oblige the service provider with what is known as a ‘model contract’ to provide levels of security in line with the requirements of the Data Protection Directive. Providers located in the United States can process personal data on behalf of European clients provided they are part of the US Government’s Safe Harbor program.
The challenge with cloud computing is that by its definition there is no way to guarantee where data may be physically located. In pure cloud computing, data can be stored across many disks, across many servers, across many data centres, which in turn could be located across many continents. Knowing where each and every piece of data is located in a cloud providers system at any one specific moment in time may not be possible. This compliance issue is not just restricted to the European Data Protection directive.
There are various other compliance regimes that companies need to consider which may be based on laws applicable to where the company is headquartered, certain jurisdictions they may operate in, and/or regulatory requirements based on the industries they are involved in. PCI DSS for example, places many requirements on companies in relation to how they manage and process credit card data.
The area of compliance in relation to cloud computing has also come to the fore with the recent allegations by Edward Snowden regarding US, UK, and other western nations’ spy agencies accessing data stored in various cloud providers and other tech companies. This has raised many concerns, particularly within the European Union, regarding government surveillance by foreign nations on the personal data of European citizens. This was manifested by the German government looking to establish a German Internet where data belonging to German citizens would remain within the networks of German telecom providers and therefore never leave the state to be intercepted by foreign nations.
Many of the large cloud service providers such as Google, Microsoft, and Amazon have reinforced this notion of regional-specific clouds by having their own dedicated European clouds, where they guarantee data will never leave their European data centres. Amazon have recently taken this a step further by establishing a dedicated German cloud in its datacentre in Frankfurt.
But a recent court case in the US has highlighted that regional clouds may not be enough. Microsoft has been held in contempt of court for not providing US law enforcement with access to an email mailbox stored physically on one of its servers in its datacentre located in Dublin, Ireland. Microsoft claims that as the server is physically located in Ireland, the US government needs to bring the case through the Irish courts to gain access to the data.
The US government claims that because Microsoft, a US company, has control over the data, then it is legally obligated under US law to provide law enforcement with access to that data. A New York court ruling has supported the US government and ordered Microsoft to comply with the request. Microsoft has refused to comply and are now found in contempt of court until the appeal to the ruling is heard. Should Microsoft lose the appeal many analysts say it will have a major negative impact on the ability of US cloud service providers to provide services to European-based companies.
What does this mean to businesses considering moving to the cloud? Firstly, companies looking to do so should identify exactly what data will migrate to the cloud and what the related compliance implications are for that data. A thorough risk assessment should then be conducted with a particular focus on the threats those risks arise from. Based on that risk assessment, including whether or not the threat actors would be at government level, a decision should be made whether or not to move that data to the cloud. Should migrating to the cloud still be an option, the business should ensure the cloud service provider is bound by Service Level Agreements on how it will manage and process data entrusted to it in accordance with any compliance requirements.
In addition, appropriate security measures should be included in that SLA such as anti-malware protection, intrusion detection, and appropriate firewalls. To further ensure the security of its data, businesses should ensure that data in the cloud is encrypted to protect it from unauthorised access. In addition, the business should ensure the encryption keys remain in the sole control of the business and not the cloud service provider.
Migrating to the cloud provides many advantages and careful consideration of compliance issues relating to the data will enable the benefits to be gained. Businesses can outsource the processing of their data but they need to remember they cannot outsource the responsibility for any compliance requirements for that data.
tags
Brian Honan is an independent security consultant based in Dublin, Ireland, and is also the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book ISO 27001 in a Windows Environment and co-author of The CSA Guide to Cloud Computing and The Cloud Security Rules. He is a regular speaker at major industry conferences. In 2013 Brian was awarded SC Magazine Information Security Person of the year for his contribution to the computer security industry.
View all postsDon’t miss out on exclusive content and exciting announcements!