Cloudy data sovereignty in Europe (part one)
When considering cloud, the inevitable security questions arise: where are your data centres? What happens to my data? How can I ensure the decision I am making does not expose us to risk?
Blatantly ignoring cloud in today’s competitive environment is not a viable option and nor should it be.
There are a multitude of security areas that encroach on cloud solutions, varying based on whether you adopt a public, private or hybrid cloud approach and whether you use SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service).
In this two-part article we shall focus on the most common public platform in use, Software as a Service (SaaS), expected to be worth 11bn Euros in the next year according to Gartner (compared to expectations of 4.7bn Euros for IaaS and 923m Euros for PaaS).
Security in the cloud should be approached and treated in a similar way as security in a physical shared environment, evaluating risks, the technology, the vendor and reputation - although there are new areas to consider with cloud that typically have not come up when deploying product based solutions.
If a company utilises cloud computing, its data will not be located within servers in its own office. It is therefore vital to know where that data is being held and who has access.
When using a cloud provider you are likely to no longer be in exclusive control of your data and will not be deploying the technical, organisational and people measures to ensure the availability, integrity and confidentiality of the data stored.
Data security and privacy are consistently reported as the top concerns and hindrances to cloud adoption as reported again in the most recent end user study from the Cloud Industry Forum (below):
Trust in the cloud is growing however and in fact, according to an Attenda survey amongst 100 CIOs and IT Directors, 87% of respondents stated that they have more trust in the cloud today compared with a couple of years ago.
Whilst trust is growing there remain concerns over data security, privacy and location.
There is much debate over the data issue and with varying opinions both legally, commercially and emotively.
At the recent Cloud Computing World Forum a European Commission Director stated: “It shouldn’t really matter where Europe’s data is stored, as long as it’s secure and protected”.
However the Attenda Survey found that 52% of financial services respondents still ranked the location of data as a top 3 barrier to moving business critical applications to a cloud environment, and it was even more important for the other commercial sectors where 76% of respondents ranked it as a top 3 concern.
So the location of data remains one of the key hurdles in cloud adoption, particularly in regulated industries such as the finance sector and this is also extending across other commercial sectors such as retail, manufacturing, transport and distribution.
There is much debate around data sovereignty and cloud providers have a responsibility to their users to provide clarity in this area.
The question usually asked by customers is simply "where are your data centres?", but it needs to be closely followed by "Where will my data be stored?", "where will the backup and failover data be held?" and "are you a USA owned company?"
Understanding local and EU data legislation and any appropriate vertical legislations affecting your sector are key in making educated choices of what cloud platforms and vendors to consider and utilise.
Examples are the European Union’s Data Protection Directive of 1995 and the UK-enacted Data Protection Act (DPA) of 1998. The EU directive requires all EU Member States to protect people's fundamental rights and freedoms and, in particular, their right to privacy with respect to the processing of personal data, which includes the storing of data.
It also importantly directed that personal data should not be transferred to a country or territory outside the European Economic Area, except to countries which are deemed to provide an adequate level of protection
So there are a number of strict controls in place to ensure the protection of data however, business and IT managers need to ask vital questions about how and where data is stored in order to continue to comply with the European regulations and local data laws when utilising a cloud environment.
Watch out for part two tomorrow, which will concentrate on what these questions are, and take specific look at the 'safe harbour' framework, aimed at greater protection of data.