Cloudy Data Sovereignty In Europe
About the author
Ian Moyse has over 25 years of experience in the IT Sector, with nine of these specialising in security For the last 8 years he has been focused in Cloud Computing and has become a thought leader in this arena. He now holds the role of Sales Director at Cloud CRM provider Workbooks.com. He also sits on the board of Eurocloud UK and the Governance Board of the Cloud Industry Forum (CIF) and in early 2012 was appointed to the advisory board of SaaSMax and as Cloud Advisory Director to the board of Evoco. He was named by TalkinCloud as one of the global top 200 cloud channel experts in 2011 and in early 2012 Ian was the first in the UK to pass the CompTIA Cloud Essentials specialty certification exam.
When considering cloud the inevitable security questions arise around where are your data centers, what happens to my data and how can I ensure the decision I am making does not expose us to risk. Blatantly ignoring cloud in today’s competitive environment is not a viable option and nor should it be. Cloud is disruptive and is changing the way we do many things, but its form factor inherently delivers us more choice and flexibility to service an ever demanding user base pushing for mobile device access, easier interfaces and rapid change.
There are a multitude of security areas that encroach on cloud solutions, varying based on whether you adopt a public, private or hybrid cloud approach and whether you use SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service).
In this article we shall focus on the most common platform in use Public cloud , Software as a Service (SaaS), expected to be worth 11 billion Euros in the next year according to Gartner (compared to expectations of 4.7 billion Euros for IaaS and 923 million Euros for PaaS).
Security in the Cloud should be approached and treated in a similar way as security in a physical shared environment, evaluating risks, the technology, the vendor and reputation although there are new areas to consider with cloud that typically have not come up when deploying product based solutions. If a company utilises cloud computing, its data will not be located within servers in its own office, it is therefore vital to know where that data is being held and who has access.
When using a cloud provider you are likely to no longer be in exclusive control of your data and will not be deploying the technical, organisational and people measures to ensure the availability, integrity and confidentiality of the data stored. Data security and privacy are consistently reported as the top concerns and hindrances to cloud adoption as reported again in the most recent end user study from the Cloud Industry Forum (below).
Trust in cloud is growing however and in fact, according to an Attenda survey amongst 100 CIOs and IT Directors, 87% of respondents stated that they have more trust in the cloud today compared with a couple of years ago. Whilst trust is growing their remain concerns over data security, privacy and location.
There is much debate over the data issue and with varying opinions both legally, commercially and emotively. At the recent Cloud Computing World Forum a European Commission Director stated ‘that it shouldn’t really matter where Europe’s data is stored, as long as it’s secure and protected’. However the Attenda Survey found that 52% of Financial Services respondents still ranked the location of data as a top 3 barrier to moving business critical applications to a cloud environment, and it was even more important for the other commercial sectors where 76% of respondents ranked it as a top 3 concern. So the location of data remains one of the key hurdles in cloud adoption, particularly in regulated industries such as the finance sector and this is also extending across other commercial sectors such as Retail, Manufacturing, Transport and distribution.
There is much debate around data sovereignty and cloud providers have a responsibility to their users to provide clarity in this area. The question usually asked by customers is simply "where are your data centres?", but it needs to be closely followed by "Where will my data be stored?", "where will the backup and failover data be held?" and "are you a USA owned company?"
Understanding local and EU data legislation and any appropriate vertical legislations affecting your sector are key in making educated choices of what cloud platforms and vendors to consider and utilise.
Example considerations are the European Union’s Data Protection Directive of 1995 and the UK enacted Data Protection Act (DPA) of 1998. The EU directive requires all EU Member States to protect people's fundamental rights and freedoms and, in particular, their right to privacy with respect to the processing of personal data, which includes the storing of data. It also importantly directed that personal data should not be transferred to a country or territory outside the European Economic Area, except to countries which are deemed to provide an adequate level of protection
So there are a number of strict controls in place to ensure the protection of data however, business and IT managers need to ask vital questions about how and where data is stored in order to continue to comply with the European regulations and local data laws when utilising a cloud environment.
In the USA the Department of Commerce in 2000 created the Safe Harbor framework to ensure organisations put appropriate controls in place for the protection of data when handling European and UK companies data that may be stored in the USA (for example an American company who may have regional offices in the UK, France and Germany that keeps employee data such as employment, tax and personal details centrally in the USA). The Safe Harbor directives consist of seven rules that have been established specifically for US companies to comply with EU data storage directives.
The ‘safe-harbor’ approach, which allows for data on EU subjects to be moved out of the EU does not have the adoption you may think, even if you did decide it covers your needs. Many USA Cloud firms have not signed up to safe harbor and the liabilities that it might entail for them. So it’s important to assimilate two things; one does it give you the safety you want and two has the vendor your considering signed to it and is this reflected in your terms of service/license with them? Transfers to USA organizations adhering to the safe harbor principles can take place lawfully under EU law, since the recipient organisations are deemed to provide an adequate level of protection for the data.
There has been much discussion recently about storing data in the USA or with non European cloud firms, much driven after it was realised that the United States can use the Patriot Act to access European citizens' data without their consent. The Patriot act providing the ability for US Government and law enforcers to access foreign data stored on USA located servers as well as data held in the EU by USA based vendors
You may also hear of the ‘Article 29 Working Party’ which is an independent European advisory body on data protection and privacy issues made up as a committee of representatives from the 27 data protection authorities in EU member states. It analyses all relevant issues for cloud computing service providers operating in the European Economic Area (EEA). The Article 29 Working Party in July 2012 stated on cloud that companies exporting data to providers outside their local jurisdiction should not merely rely on the statement of the data importer claiming that they have a Safe Harbor certification. They recommend that the company exporting data should obtain evidence that the Safe Harbor self certifications exist and request evidence demonstrating that their principles are being complied with. The article 29 working party stated “Businesses that wish to use cloud services to store and process personal data must use providers that can ‘guarantee’ compliance with EU data protection laws” The Working Party’s conclusion appears to be that US Safe Harbor coverage is not robust enough on the basis that it alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by individual data protection authorities,
When using public clouds which are offered globally to a range of audiences from enterprise companies through to small businesses and consumers there is a risk of data leaving the EU without you knowing. You have the right to know if this may happen and where your data may be stored and the cloud provider should be open with you about this and give transparency so that you can make those educated choices.
Since the issues around USA stored cloud data and the Patriot Acts lack of alignment with the Safe Harbor principals came to light, European bodies have been revising and updating the data protection laws that apply to all 27 European member states and this is under review as this article is written. Outlined plans for change including amendments that may compel any non-European company with customers or clients within Europe to comply with European regulations, are expected during the next few years. It was stated that ‘the European Commission will come forward with proposals to reform the 1995 Data Protection Directive during 2012.
The other challenge that has highlighted the need for more legal clarity is whether the customer or the cloud provider is the data controller. The controller is the one who determines purposes and means of the processing of personal data. The Processor is the one who processes personal data on behalf of the Controller. Typically this means the customer is the controller, however due to the nature of the cloud computing environment the historical definitions can be unclear and such roles still often need to be determined on a case-by-case basis until legal clarity is brought to bear. Therefore is should be clear in a cloud providers service contract with you if you or they are acting as the Data Controller and thus have legal responsibility for the data held and processed in the elected cloud service. Data controllers are more responsible for data protection compliance than data processors.
It is therefore important to understand that you may be subject to the authority of the jurisdiction where your data and systems are hosted or where the parent company providing the hosting is from. If you want to make sure that you are compliant with local data laws and also doing right by your own clients whom you hold data on then you should be vigilant to understand where your data isultimately held and whether or not the hosting entity is compliant with the appropriate local legislation that you require. New EU Data protection regulation could mean fines up to 2% of company turnover for data security breaches and with fines and data breaches being reported more diligently (see reported 2012 breaches as examples) evaluating your obligations around data security and sovereignty now, understanding them and any necessary actions is key.
It is your data that you are putting into the Cloud and according to the lawyers and the data protection laws it means that you are responsible for it. You are by default the data controller and must choose a cloud provider that guarantees compliance with data protection legislation. Microsoft, Google, Amazon, Salesforce and any other USA based organisation has to comply with local USA laws meaning that any data that is housed, stored or processed by a USA based company, is open to inspection and interception by USA authorities without notice or permission of a non USA company who has hosted their data in their systems.
In fact during Microsoft's Office 365 launch, Gordon Frazer, Managing Director of Microsoft UK, admitted exclusively to ZDNet that the Patriot Act can be invoked by U.S. law enforcement to access EU-stored data without consent. The managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US. While it would try to inform its customers before this should happen, it stated that it could not guarantee this. This means that if you do business with a UK subsidiary of a USA based cloud operator who is hosting your data in the UK and you specify that English law applies as well as operating under EU data protection laws, the FBI can still get access to your data. While this had already been suspected, this was the first clear affirmation and is true for any US-based cloud provider.
This could illustrate why in the Cloud Industry Forum 2012 Cloud Adoption outlook report that 47% of UK organisations wanted their data stored in the UK. This reflects a sense of national law being perceived as providing a higher level of comfort for users. In a separate public survey carried out by the Cloud Industry Forum of 5,800 individuals, 64 per cent had concern as to where data would be stored.
Cloud is too important a technological offering to ignore and whilst there are undoubtedly a number of considerations to address, none are insurmountable and the cloud technologies offer a great benefit when used in the right areas and for the right reasons. As cloud becomes more mature and providers more sophisticated there will be accelerated adoption and more consistent answers and clarity to questions from customers.
So what approach can and should you take in your security diligence to adopting a cloud solution in the area of data, sovereignty and privacy?
Gartner defined six rights of a cloud customer being;
– The right to retain ownership, use and control one's own data
– The right to SLAs that address liabilities, remediation and business outcomes
– The right to notification and choice about changes that affect the service consumer's business processes
– The right to understand the technical limitations or requirements of the service up front
– The right to know what security processes the provider follows.
– The responsibility to understand and adhere to software license requirements
These are a good start as a high level foundation and basis for what you should look to adhere to in adopting cloud services, possibly from vendors you have not dealt with previously. Businesses wishing to use cloud computing and concerned about data issues should conduct a risk analysis encompassing what data will be stored or pass through the cloud service, the importance and confidentiality of the relevant data, any relevant EU, local or industry segment data protection rules to be complied with and your own internal receptiveness to where data be stored and what comfort you require from the chosen cloud vendor.
All European Cloud providers should provide clients with all the necessary information to openly assess the relevant service, including clarity of where they will store the clients primary and backup data, which data laws will apply, who is deemed the data controller and what data liberation terms are in place to ensure easy retrieval and removal of your own data should/when you choose to exit the cloud service.
As a client you should select a Cloud provider that guarantees compliance with EU data protection legislation and many articles have suggested going further if dealing with a USA vendor. Suggestions include the recommendation that you should verify that the cloud provider will guarantee the lawfulness of any cross border international data transfers with your data. They go as far to suggesting you ask the USA vendor who is providing cloud services to you in the EU, to state clearly in their terms with you that "under no circumstances will the data you provide us leave the EEA, even from a request under the USA PATRIOT Act". Whether they will comply with your request or not you should ask for clarity on what contractual service terms they have to protect you and then make a decision on your businesses receptiveness as to whether those on offer are enough in relevance to the data type you will hold in their service.
Cloud is here to stay in all its forms and security whilst an important consideration is not a mandated prohibiter. As with any solutions there is diligence to be done and cloud is not inherently less secure and in many cases will be more secure than internally provisioned infrastructures. Well provisioned cloud services can deliver a range of great advantages including greater security, more resilience, ease of mobile user support, flexibility, reduced costs and a greater user experience. However as a business you need to understand your local responsibility as a data controller and ensure you have clear service contracts and SLA’s in place to bring you the protection you require,
A recent publication of note in this area is the book Cloud Computing : Assessing the Risks available now from http://www.itgovernance.co.uk/products/3820