Feeds

Cloudy punters can't rely on 'certified' CSPs for data protection

ICO: Certification of service providers is great, but it won't help you in court

Top 5 reasons to deploy VMware with Tegile

A new online platform that enables prospective users of cloud computing services to assess the security features of registered cloud providers is to be welcomed, the UK's data protection watchdog has said.

Amazon has become the latest cloud provider to publish details (42-page/475KB PDF) of how it ensures the security of information that users store in its 'Amazon Web Services' cloud platform. It submitted the details to the Security, Trust & Assurance Registry (STAR), operated by not-for-profit body the Cloud Security Alliance (CSA).

The Registry enables cloud providers to submit "self assessment reports" documenting their compliance with "best practices" established by CSA. The Registry is free to view and helps "users assess the security of cloud providers they currently use or are considering contracting with," according to CSA's website.

CSA promotes "the use of best practices for providing security assurance within cloud computing" and that provides "education on the uses of cloud computing to help secure all other forms of computing". Its members include Google, Microsoft and a host of other global businesses.

While the ICO welcomed the CSA's STAR initiative, which has been operating since the end of last year, it told Out-Law.com that organisations cannot rely on the information available from cloud providers or other external certifications, to ensure their own compliance with UK data protection laws.

"The Data Protection Act does not stop the overseas transfer of personal data, but it does require that it is protected adequately wherever it is located and whoever is processing it, this includes if it is being stored in the cloud outside of the UK," a spokesperson for the ICO said.

“While any scheme aimed at ensuring people’s information is adequately protected in line with an organisation’s requirements under the Act is to be welcomed, organisations thinking of using cloud service providers must understand that they are still responsible for the safety of that data. Just because their cloud service provider is registered with such a scheme, does not absolve the organisation who collected the data of their legal responsibilities," they added.

The spokesperson said that the ICO is "currently developing new guidance for UK organisations to explain their legal requirements under the Act when processing and storing personal information in the cloud" and would publish the guidance in the autumn.

Two of the biggest issues with cloud services in terms of data protection compliance for organisations are their perceived inability to audit the service provider in order verify compliance and perceived loss of control over the data for which they are responsible.

Earlier this month the EU privacy watchdog the Article 29 Working Party, through which the ICO is represented, said businesses that wish to use cloud services to store and process personal data must use providers that can "guarantee" compliance with EU data protection laws.

The Working Party said firms inherently lack control over personal data they are responsible for when using cloud services, and also may not have access to detailed information about how information is processed in the cloud. It said that cloud computing also poses risks to data security, such as "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures."

However, EU data protection law requires that organisations sending personal data outside of the European Economic Area (EEA), as may be the result of using cloud storage services, ensure that there are adequate data protection safeguards in place before that processing takes place. This is unless the destination country has been pre-approved as having adequate data protection by the European Commission. The laws also require organisations to take measures to secure personal data they are responsible for.

How to help yourself

The Working Party set out guidance on what companies can do to meet their own data protection requirements when using cloud services. Its recommendations included advice on how contracts between 'data controllers' and cloud providers could contain safeguards to avert risks of non-compliance with data protection laws. Those contracts should detail how cloud providers would keep personal data secure, how access to the information would be restricted and enable the controller to monitor the providers' data protection compliance, among other things, it said.

CSA has indicated that its STAR forum could help companies that are seeking to use cloud services to meet the adequacy requirements for international transfers under data protection law.

"The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences," according to a statement on its website. "CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator."

The first cloud providers to submit reports through STAR did so in December last year, with Microsoft among the companies to have provided documents for review.

According to the document submitted by Amazon to STAR, both Amazon and the organisations that use its AWS platform share responsibility for aspects of the service.

"AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates," the document states. "The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall."

Amazon's document also said that its cloud offering "engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Beginner's guide to SSL certificates

More from The Register

next story
729 teraflops, 71,000-core Super cost just US$5,500 to build
Cloud doubters, this isn't going to be your best day
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
SAVE ME, NASA system builder, from my DEAD WORKSTATION
Anal-retentive hardware nerd in paws-on workstation crisis
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.