Cloudy punters can't rely on 'certified' CSPs for data protection
ICO: Certification of service providers is great, but it won't help you in court
A new online platform that enables prospective users of cloud computing services to assess the security features of registered cloud providers is to be welcomed, the UK's data protection watchdog has said.
Amazon has become the latest cloud provider to publish details (42-page/475KB PDF) of how it ensures the security of information that users store in its 'Amazon Web Services' cloud platform. It submitted the details to the Security, Trust & Assurance Registry (STAR), operated by not-for-profit body the Cloud Security Alliance (CSA).
The Registry enables cloud providers to submit "self assessment reports" documenting their compliance with "best practices" established by CSA. The Registry is free to view and helps "users assess the security of cloud providers they currently use or are considering contracting with," according to CSA's website.
CSA promotes "the use of best practices for providing security assurance within cloud computing" and that provides "education on the uses of cloud computing to help secure all other forms of computing". Its members include Google, Microsoft and a host of other global businesses.
While the ICO welcomed the CSA's STAR initiative, which has been operating since the end of last year, it told Out-Law.com that organisations cannot rely on the information available from cloud providers or other external certifications, to ensure their own compliance with UK data protection laws.
"The Data Protection Act does not stop the overseas transfer of personal data, but it does require that it is protected adequately wherever it is located and whoever is processing it, this includes if it is being stored in the cloud outside of the UK," a spokesperson for the ICO said.
“While any scheme aimed at ensuring people’s information is adequately protected in line with an organisation’s requirements under the Act is to be welcomed, organisations thinking of using cloud service providers must understand that they are still responsible for the safety of that data. Just because their cloud service provider is registered with such a scheme, does not absolve the organisation who collected the data of their legal responsibilities," they added.
The spokesperson said that the ICO is "currently developing new guidance for UK organisations to explain their legal requirements under the Act when processing and storing personal information in the cloud" and would publish the guidance in the autumn.
Two of the biggest issues with cloud services in terms of data protection compliance for organisations are their perceived inability to audit the service provider in order verify compliance and perceived loss of control over the data for which they are responsible.
Earlier this month the EU privacy watchdog the Article 29 Working Party, through which the ICO is represented, said businesses that wish to use cloud services to store and process personal data must use providers that can "guarantee" compliance with EU data protection laws.
The Working Party said firms inherently lack control over personal data they are responsible for when using cloud services, and also may not have access to detailed information about how information is processed in the cloud. It said that cloud computing also poses risks to data security, such as "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures."
However, EU data protection law requires that organisations sending personal data outside of the European Economic Area (EEA), as may be the result of using cloud storage services, ensure that there are adequate data protection safeguards in place before that processing takes place. This is unless the destination country has been pre-approved as having adequate data protection by the European Commission. The laws also require organisations to take measures to secure personal data they are responsible for.
How to help yourself
The Working Party set out guidance on what companies can do to meet their own data protection requirements when using cloud services. Its recommendations included advice on how contracts between 'data controllers' and cloud providers could contain safeguards to avert risks of non-compliance with data protection laws. Those contracts should detail how cloud providers would keep personal data secure, how access to the information would be restricted and enable the controller to monitor the providers' data protection compliance, among other things, it said.
CSA has indicated that its STAR forum could help companies that are seeking to use cloud services to meet the adequacy requirements for international transfers under data protection law.
"The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences," according to a statement on its website. "CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator."
The first cloud providers to submit reports through STAR did so in December last year, with Microsoft among the companies to have provided documents for review.
According to the document submitted by Amazon to STAR, both Amazon and the organisations that use its AWS platform share responsibility for aspects of the service.
"AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates," the document states. "The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall."
Amazon's document also said that its cloud offering "engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS."
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.