The popular news digest, The Week, has a regular feature for technical but unglamorous news items called "Boring but Important". The recent developments in the fast-paced world of Data Protection have to be a good candidate for the column. You see, the UK’s ICO has sent a stern warning to businesses: Data protection is primarily your responsibility especially if the data is stored in cloud infrastructure. As the ICO can impose fines of over six figures, what the body says should be taken seriously.
It’s instructive for IT stakeholders to take a closer look at the ICO’s concerns. First up, unsurprisingly was security. The ICO recommended cloud users should visit their hosting partners’ premises and ideally carry out a third party security audit which would allow the customer to comply with its data protection obligations. As an adjunct to the security piece, the Commission also pointed out that cloud hosting providers running a multitenant environment should be able to show sufficient safeguards against the possibility of one cloud user gaining access to another.
The ICO also says the cloud buyers must also ensure the hosting partner can delete all copies of personal data and should find out what will happen to personal data it decides to withdraw from the cloud service in the future. Typically that might be a Certificate of Destruction.
Another key area in the checklist is availability. The ICO says a cloud buyer needs to think about the consequences if a cloud hosting provider was to suffer a major outage. The IT administrators should seriously consider back-up and the stakeholders need to understand the hosting partner’s capacity properly.
At Gartner’s recent Security Summit, an analyst produced a list of the issues enterprises have with cloud architectures. The list included lack of openness to audit, low compliance and security, no Certificates of Deletion and poor availability, all issues picked up by the ICO. As well as giving out a warning to the UK business community, the ICO also issued some useful guidance for cloud infrastructure providers.
Up to now, hosted service providers in the EU have been able to hide behind their classification as data ‘processors’ rather than ‘controllers’, and avoid primary liability. However, after a series of high profile breaches and losses when personal data was held by a third party, Brussels has decided to tighten the rules.
Under the new proposed regulation, the differentiation between data processor and controller will largely disappear, and processors will face a heavier compliance burden. Article 30 of the regulation for example will require data processors to implement and maintain technical and organisational measures to keep the data they hold secure. But what is much more troubling for the infrastructure as a service industry is the requirement to notify the regulator within 24 hours of a breach.
While it is doubtful that the EU will be able to impose its whole wish list of new strictures on its 27 member states immediately, cloud providers should be aware of the impending responsibility and take appropriate measures sooner than later, as it’s only a matter of time.
Recent manoeuvring in Brussels points to a watering down of the regulation, but there is not denying the overall trend is towards tightening privacy rules rather than loosening them. Even if these requirements don’t become law in 2014 they could easily become so the next time, so it’s more important than ever for the cloud industry to maintain a close watch on events.
Daniel Beazer is Director of strategy at Firehost. FireHost Ltd is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk