Feeds

Cloudy punters can't rely on 'certified' CSPs for data protection

ICO: Certification of service providers is great, but it won't help you in court

Internet Security Threat Report 2014

A new online platform that enables prospective users of cloud computing services to assess the security features of registered cloud providers is to be welcomed, the UK's data protection watchdog has said.

Amazon has become the latest cloud provider to publish details (42-page/475KB PDF) of how it ensures the security of information that users store in its 'Amazon Web Services' cloud platform. It submitted the details to the Security, Trust & Assurance Registry (STAR), operated by not-for-profit body the Cloud Security Alliance (CSA).

The Registry enables cloud providers to submit "self assessment reports" documenting their compliance with "best practices" established by CSA. The Registry is free to view and helps "users assess the security of cloud providers they currently use or are considering contracting with," according to CSA's website.

CSA promotes "the use of best practices for providing security assurance within cloud computing" and that provides "education on the uses of cloud computing to help secure all other forms of computing". Its members include Google, Microsoft and a host of other global businesses.

While the ICO welcomed the CSA's STAR initiative, which has been operating since the end of last year, it told Out-Law.com that organisations cannot rely on the information available from cloud providers or other external certifications, to ensure their own compliance with UK data protection laws.

"The Data Protection Act does not stop the overseas transfer of personal data, but it does require that it is protected adequately wherever it is located and whoever is processing it, this includes if it is being stored in the cloud outside of the UK," a spokesperson for the ICO said.

“While any scheme aimed at ensuring people’s information is adequately protected in line with an organisation’s requirements under the Act is to be welcomed, organisations thinking of using cloud service providers must understand that they are still responsible for the safety of that data. Just because their cloud service provider is registered with such a scheme, does not absolve the organisation who collected the data of their legal responsibilities," they added.

The spokesperson said that the ICO is "currently developing new guidance for UK organisations to explain their legal requirements under the Act when processing and storing personal information in the cloud" and would publish the guidance in the autumn.

Two of the biggest issues with cloud services in terms of data protection compliance for organisations are their perceived inability to audit the service provider in order verify compliance and perceived loss of control over the data for which they are responsible.

Earlier this month the EU privacy watchdog the Article 29 Working Party, through which the ICO is represented, said businesses that wish to use cloud services to store and process personal data must use providers that can "guarantee" compliance with EU data protection laws.

The Working Party said firms inherently lack control over personal data they are responsible for when using cloud services, and also may not have access to detailed information about how information is processed in the cloud. It said that cloud computing also poses risks to data security, such as "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures."

However, EU data protection law requires that organisations sending personal data outside of the European Economic Area (EEA), as may be the result of using cloud storage services, ensure that there are adequate data protection safeguards in place before that processing takes place. This is unless the destination country has been pre-approved as having adequate data protection by the European Commission. The laws also require organisations to take measures to secure personal data they are responsible for.

How to help yourself

The Working Party set out guidance on what companies can do to meet their own data protection requirements when using cloud services. Its recommendations included advice on how contracts between 'data controllers' and cloud providers could contain safeguards to avert risks of non-compliance with data protection laws. Those contracts should detail how cloud providers would keep personal data secure, how access to the information would be restricted and enable the controller to monitor the providers' data protection compliance, among other things, it said.

CSA has indicated that its STAR forum could help companies that are seeking to use cloud services to meet the adequacy requirements for international transfers under data protection law.

"The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences," according to a statement on its website. "CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator."

The first cloud providers to submit reports through STAR did so in December last year, with Microsoft among the companies to have provided documents for review.

According to the document submitted by Amazon to STAR, both Amazon and the organisations that use its AWS platform share responsibility for aspects of the service.

"AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates," the document states. "The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall."

Amazon's document also said that its cloud offering "engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
Intel, Cisco and co reveal PLANS to keep tabs on WORLD'S MACHINES
Connecting everything to everything... Er, good idea?
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
Oracle hires former SAP exec for cloudy push
'We know Larry said cloud was gibberish, and insane, and idiotic, but...'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.