The decision by global HR firm Randstad, to migrate to Google from its on-premise Exchange and Lotus Notes servers should raise a few questions for CIOs considering the cloud.
Randstad is a global firm which holds personal data, yet it has chosen to implement Google in the cloud over on-premise email.
Lower running cost and flexibility are the main drivers to migrate.
Increasingly, IT departments will turn to cloud-based email, whether it is provided by Google, Microsoft (with Office 365), or other providers, because email is the original internet application
It does not make sense to host a server in a datacentre, when large service providers benefit from economies of scale that allow then to operate a global email system highly efficiently, with a high level of resilience.
Hans Wanders, CIO at Randstad, expects cloud-based email will become the norm. However, it is not suitable for every business. Even at Randstad, which is planning a global roll-out, the operations in China will not have Google, due to government restrictions. And while Randstad has worked on a global contract, which overcomes many of the issues that local countries may face with personal data moving across borders, Wanders leaves the implementation to individual operating companies.
He said: "In Germany, for instance, an additional agreement with Google was necessary.”
More articles on cloud computing
Global data privacy
According to Alistair Maughan, a partner at law firm, Morrison & Foerster, data privacy is one of the big issues for organisations. He said: “There is no real continuity. A different approach to data privacy is taken in the key jurisdictions and there is no real consistency between them.”
No privacy legislation specifically deals with cloud computing. Organisations need to follow the letter of the law, but, this is near impossible.
Maughan added: “It is a minefield. In the US, for instance there are sector specific privacy laws, like HIPPA for health, along with different laws at state-level.”
Europe is more unified but the EU Data Directive can be interpreted differently by the 27 member state.
For a European organisation wishing to migrate to cloud based email, Maughan said the employer needs to ensure that the terms and conditions of employment for its staff stipulate their personal data can be moved to the cloud. However, he said, “it is harder if you deal with external data.”
This is because the EU Data Protection Directive deals with the privacy of individuals.
The organisation can use Model Contracts, which provide a set of terms and conditions that meet European data privacy requirements.
Google, for instance, now offers Model Contracts for its European customers, along with ISO 27001. But, as Maughan explained, Model Contracts is not the whole story.
He said: “In Germany, data protection laws are more stringent. German courts have examined the issue of cloud computing. The Dusseldorf information commissioner gave guidance for sensitive data, which means an organisation needs express consent, so a model contract is not sufficient.”
He said French law talks about the need for a risk assessment and a privacy agreement to stipulate specific locations where French data can be stored.
Maughan added that Denmark advised against deploying Google. They now require a certain level of encryption both for the transmission of data to and from the cloud service provider and in terms of encrypted storage.
Securing email data
Gartner vice-president Carsten Casper urged IT directors to put pressure on providers to commit to the location of cloud datacentres (or even to change it), and ask under which conditions they will hand over personal information to law enforcement agencies and tax and financial auditors.
Writing in the analyst’s European Businesses Are Only Slowly Overcoming Their Reluctance to Transfer Personal Data to the Cloud report, Casper recommended IT directed request that the cloud provider provide information on how data from different clients is separated. Data could be separated in different folders, different virtual machines or different database tables.
“You don't want your information to be included when hackers or law enforcement agencies grab information from other cloud clients,” said Casper.
He also suggested that data stored in the cloud could be obfuscated in some way.
In the report, he explained: “Replace personal information with pseudonyms, such that business processes in the cloud do not have to be changed, yet sensitive information is not exposed. Some companies offer data masking on the fly, which can essentially enable jurisdiction-based access control.”
There is a sense that organisations risk having their data accessed by law enforcement agencies through legislation like RIPA in the UK and the US Patriot Act. Maughan says a lot of these fears are blown out of proportion. Nevertheless, CIOs should consider the impact of such legislation, when they are signing up with a cloud provider.
“If you get your energy from a big European utility, you would not expect the US authorities getting hold of your energy usage,” said Maughan.
From Google’s recently published Transparency Report, it would appear US government officials have a fast-track way to access cloud-based data without needing a court ruling.
The report shows that 68% of the requests Google received from government entities in the US were through subpoenas.
In the report, Google said: “These are requests for user-identifying information, issued under the Electronic Communications Privacy Act (ECPA), and are the easiest to get because they typically don’t involve judges.”
The lesson to take away from Randstad is that a global roll-out for a cloud email system is perhaps more a statement of intention.
It must still deal with the fact that Google is not able to run within China. Randstad’s CIO oversees this strategy, but he has given each country the responsibility for implementation. This has effectively freed him from the challenges of working through the intricate data protection issues that Randstad may encounter in different countries.
“As CIO, I will set a standard, and let local companies do their own roll-out,” Wanders explained.
His strategy is rather like HSBC’s “Think global, act local” advertising campaign,”where a global businessman learns to fish from a local fisherman. The data privacy issues are not likely to go away any time soon.
In a recent Computer Weekly article, Maughan said: “Maybe the best way to create trust in cloud solutions is for the commission to keep out of the way.”