What Cloud Security and the Open Championship Have in Common

The fast approaching 2015 Open Championship is bound to thrill as we watch Rory McElroy defend his title, Jordan Spieth gun for his third major win this year, and arguably the most competitive field of PGA pros from around the world clamour to make the cut and play through to the final round Sunday.

In honour of the Open returning to storied St. Andrews where it is played every five years, this article pays homage to five Open champions from the past. Our picks happen to hail from countries with some of the strictest data residency regulations. The complex web of data residency laws across the globe can be as tough to navigate as the 18 holes at St. Andrews.

While the benefits of cloud adoption are numerous, companies frequently find that certain types of customer information needs to be kept within a defined geographic jurisdiction, making the use of cloud solutions based in other parts of the world extremely difficult. Increasingly strict data privacy and residency requirements, being put in place as a result of surveillance and data privacy concerns, are a significant challenge to cloud adoption.

IT needs to look for conditions related to openness in their security solutions, such as adherence to industry standards and the ability of solutions to integrate with one another so that trust in the cloud is established.

For each player’s country of origin, let’s investigate the data privacy and protection regulations that apply:

Country: UK
Local Champion: Nick Faldo, 1987, 1990, 1992
Data Residency Law: Data Protection Act of 1998
Description: UK Act of Parliament which defines UK law on the processing of data on UK citizens. It is the main piece of legislation that governs the protection of personal data in the UK.

Country: South Africa
Local Champion: Louis Oosthuizen, 2010
Data Residency Law: Protection of Personal Information Act (PPI Act)
Description: Responsible party must secure the integrity of the personal information in its possession.

Country: France
Local Champion: Arnaud Massey, 1907
Data Residency Law: French Data Protection Act
Description: The Data Process Act (201cDPA201d), which implemented the EU Data Protection Directive.

Country: Spain
Local Champion: Seve Ballesteros, 1979, 1984, 1988
Data Residency Law: EU Data Protection Directive 95/46/EC implemented with the Special Data Protection Act
Description: The data controller shall carry out the technical and organisational measures necessary for securing personal data.

Country: New Zealand
Local Champion: Bob Charles, 1963
Data Residency Law: Privacy Act 1993
Description: An agency that holds personal information shall ensure that the information is kept securely.

Let’s take a closer look at the United Kingdom. The UK Data Protection Act is the UK’s legislation covering the processing of data on people and is the main piece of legislation that governs the protection of personal data in the UK. The Act places clear demands upon those holding personal data in terms of the security that must be applied to protect it and it is necessary to apply a wide range of security measures to meet these standards:

• Data must be processed fairly and lawfully
• Data must be processed in accordance with the rights and freedoms of data subjects
• Data must be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage
• Data must not be transferred to a country or territory outside the European Economic Area unless that country or territory protects the rights and freedoms of the data subjects.

The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest. They recently provided guidance around the use of cloud computing reiterating that the responsibility for data protection remains with the data controller (the enterprise). And particular consideration should be given to mitigating the security risks relating to personal data since foreign law enforcement agencies may have the power to demand access to personal data stored in a foreign data center. Failing to protect private data can result in ICO-levied fines.

So what is an organisation to do? Look exclusively at cloud solutions that are based wholly in the country where they operate? Avoid cloud services altogether? Both of these approaches are impractical. Enterprises need to adopt cloud-based solutions, the best ones available irrespective of location, in order to drive their businesses and remain competitive.

Consider offering security services such as “tokenisation-as-a-service” to business units within the enterprise to enable compliant cloud use/adoption while protecting data being processed and stored in the cloud.

By David Canellos, President and CEO, Perspecsys

Image Credit: Shutterstock/Debby Wong