What’s scarier than a 500,000-pound gorilla? A 500,000-pound gorilla waving a set of best-practice guidelines. The UK Information Commissioner's Office (ICO), which has the ability to levy £500,000 in fines for companies that have contravened the Data Protection Act, has turned its attention to the cloud. It has published guidance outlining the responsibilities for companies storing their customers' data in cloud environments. Now, there is no excuse for organisations to misstep when it comes to cloud security.
The Guidelines' biggest contribution is its clear definition. It assigns responsibility for data security unequivocally to the company that owns the data, rather than the company taking care of it. Any organisation with customer data processed by a cloud service provider that has a data breach may want to blame the third party. Take heed: the ICO is having none of it. The owner of the data is the data controller.
With that in mind, the ICO offers data controllers several key pieces of advice to stay within the confines of the Data Protection Act. They must consider which data to move to the cloud, and assess the risks. They must both monitor the service provider's performance, and keep customers informed about their use of cloud services. They must ensure that data is protected using the technical and organisational measures necessary. And they must select the right cloud service provider, sealing agreements over security with a written contract.
A half-baked approach
Today, many data controllers pay lip service to these responsibilities. Many rely on a set of weak, ill-defined terms and conditions presented by the cloud service provider, and assume that the responsibility for data security is taken care of. They focus on ticking boxes and covering themselves on paper, rather than taking proper steps to ensure that their sensitive data is really secure. This is the difference between theoretical security, and practical protection, and it won’t do, says the ICO.
“Simply because an organisation chooses to contract for cloud computing services on the basis of the cloud provider's standard terms and conditions, does not mean that the organisation is no longer responsible for determining the purposes for which, and manner in which, the personal data is to be processed," the guidelines say. Abrogating responsibility is not an option, if you don’t want the gorilla to come calling.
Real data protection depends on proper security audits - or at least, verification of a service provider’s security by a third-party. It also depends on a thorough understanding of access control mechanisms, and how and where data is stored. Will it be stored in a multi-tenanted environment, or privately hosted? Will the data be stored locally, in the UK, or will it be stored in another country? The latter could put a data controller in violation of the Data Protection Act.
Security begins at home – cloud encryption and key management
Neither is scrutiny of the service provider enough. Security begins at home, and the data controller must ensure that their own systems are secure. In paragraph 63 of its guidance, the ICO singles out encryption as a useful tool in protecting the personal data that a company is responsible for, even when it is being processed by a third party.
However, it is important to understand the nuances of such solutions. The ICO does a good job of differentiating between encryption in transit (when data is being transported to and from the cloud service provider over a network), and encryption at rest, where it is stored.
It also highlights the need for proper key management. Encryption keys are the electronic certificates that enable garbled data to be decoded. Without these, data is effectively useless. With them, someone has the keys to the kingdom. So it is vital that they are neither lost, nor stolen.
Proper encryption and key management is important, but that alone will not be enough if user accounts are compromised. An employee of the data controller with access to cloud-based data must be using IT that is sufficiently protected. If they access that data from a malware-infected computer, then their account could be compromised, meaning that even encrypted data could be stolen, and the controller could be liable for any resulting breaches.
Companies must understand the nuances: encrypting data means retaining control of the keys that are used to unlock the data. Lose them, and you may find yourself guilty of effectively destroying personal data, which contravenes the Act.
Considerations such as these have led Gartner to identify the challenge of data security, resilience and compliance in the cloud, and predict how companies will address these challenges. It estimates that by 2016, 25 per cent of enterprises will secure access to cloud-based services and vendor platforms through a unified solution to broker security in the cloud and enforce security policies. This category of products includes Cloud Encryption Gateways, which encrypts data before it leaves an enterprise’s firewall, rendering it safe inside the cloud.
These are examples of the complexities underlying even the simplest-sounding technical measures, and the same is true of the whole security process. Conducting a risk analysis, for example, is deceptively difficult. Companies must measure the impact of fines by a regulatory authority, but also the reputational damage incurred by a breach, the cost of customer notification, and the ongoing recovery cost.
Are you already in the cloud?
There are also far-reaching cultural implications that may already be in play. In many cases, companies may think they’re starting on the path to cloud computing from scratch, without realising that they are using a cloud service already.
Many organisations suffer a significant disconnect between the IT department and business departments, each calcified by differing political agendas. The IT department may feel in control of its technical infrastructure, unaware that a business department has decided to cut through the bureaucracy and simply use an external cloud-based service, expensing it on a departmental account.
To truly regain integrity and build a secure cloud services strategy, IT departments may need to undo this damage with a kind of cultural audit, in which business departments are polled to find out exactly what they are using and why. CIOs may have to adjust their relationships with business departments, adopting a more service-led approach, in which they become the central clearing house for IT services, even when procured from third parties. They may need to court the procurement department, building connections where none had existed before, to regain the control that they thought they already had.
And you thought the ICO guidelines were purely technical? In today's rapidly changing computing environments, pure technocrats do not prosper. A robust organisational understanding is just as important as a thorough technical one when meeting these challenges.
These challenges needn’t stop you from using cloud computing. A thoughtful cloud strategy can still yield rewards and save businesses money. But step cautiously, friend, when dancing with that 500,000-pound gorilla; you don’t want to tread on his toes.
Richard Olver is Director of EMEA for CipherCloud; provider of cloud encryption and tokenisation gateways that enable enterprises to securely adopt cloud applications by eliminating concerns about data privacy, residency, security, and regulatory compliance.