Is your data safe in the cloud?
Is your data safe in the cloud?
Cloud computing offers huge benefits in flexibility, storage capacity and processing power, and research from IDG Enterprise predicts that spending on cloud computing will rise by 42 per cent this year alone. But it may not be the right solution for every business
How to manage risk
If your business uses an external server network (owned by yourself or third parties) rather than local servers to store and access data and applications, then you’re operating in the cloud. Highly sensitive or business critical data may not be suitable for public cloud services, while private cloud services can be costly. Many businesses – particularly those in regulated sectors – opt for hybrid solutions, running some systems in the cloud and others locally.
If you want to move business-critical data into the cloud, contractual protection and (factual) diligence are equally important. The different terms and deployment models offered by cloud providers should cautiously be reviewed, compared and negotiated.
Key considerations for cloud users
Territorial laws can be incompatible with cloud, where data often doesn’t respect borders. There’s no cloud-specific regulation in the UK for example, but that doesn’t mean the cloud isn’t regulated: basically all laws may apply, even those of several jurisdictions. Of particular relevance are contract, consumer, (data) privacy and intellectual property law, as well as cyber security and sector-specific regulations.
Issues to consider
Locating your data
Some public cloud providers operate hundreds of data centres around the world so you need to decide what level of transparency regarding location, administration and data protection you require and whether you need to keep your data in specified jurisdictions. European data protection law, for example, imposes strict requirements on data transfers outside the EU and some countries are considering measures that would require their citizens’ data to remain inside their borders. In response, cloud providers are increasingly offering EU-only data centre options. It’s worth remembering that governments may seek to access your data – and your users’ data – on servers in their jurisdictions (and indeed sometimes beyond those borders) , and that cloud users are also responsible for compliance with export control restrictions in some jurisdictions.
Controlling your data
If you entrust your data to third-party providers, you’ll continue to bear much of the legal and regulatory risk associated with it – and may be liable if the provider suffers a data breach or cyber attack. In these circumstances you’ll need a provider that lets you stay in control of your data. If you can’t get the guarantees or contractual protection that you need, you might opt to develop your own cloud infrastructure.
Recently, some US federal courts have taken the view that data in an organisation’s cloud is in its possession, custody or control regardless of where the data centres are located – and must be produced under a US subpoena read more on this here. These rulings are under appeal but they highlight the risk that data in the cloud could be exposed to foreign search warrants, subpoenas and discovery requests in connection with criminal investigations and civil litigation. A conflict between a foreign data request and local data protection law can put you in an impossible compliance position and undermine your customers’ trust if their data is targeted.
Securing your data
Your provider could be an attractive target for cyber criminals, particularly if it handles valuable data for multiple customers. Recent cases have also shown that the troves of data held by public cloud providers have been tempting targets for intelligence agencies’ snooping. And private clouds are not immune to risk: the telecommunications networks connecting your users to the cloud – particularly if they’re unencrypted – could also be vulnerable.
Despite this, cloud-based systems may be more resilient than internal IT environments and often have the scale to weather distributed denial-of-service attacks and spikes in traffic volumes. Consolidating your infrastructure in a private cloud can also make it easier to keep your systems patched and security measures up-to-date.
Accessing your data
Most cloud contracts do not include the technical connection between client and cloud but leave it to a third party carriers – who are mainly internet service providers. Such contracts need to be synchronised. You should also ensure you’re able to move from one cloud provider to another to prevent any kind of vendor lock-in. The more complex the cloud services, the more subcontractors are likely to be involved. You need to ensure that those subcontractors are chosen carefully and meet at least the same standards as the cloud provider.
Key issues in cloud contracts