There is so much software as a service now that data heads off into the cloud and lands who knows where.
But that doesn’t absolve you of the need to know where your data is, how it is secured and what laws and regulations its retention must comply with. For this, you need to carry out a cloud-compliance audit.
Your service provider may not state where your data will be held, let alone guarantee that it stays in the same country or even on the same continent. They may move data around for load balancing, or may failover to another datacentre if things go wrong.
If you don’t take steps to find out, you are unlikely to know where your data is. Not long ago, data stayed safely in the data centre behind a firewall, and rarely ventured much further than branch offices or to the tape storage warehouse.
Life was easy then. But now, in the age of the cloud, there are numerous laws and regulations that make things less simple. The bottom line is, you are classed as the data controller for compliance purposes and this means you need to comply with the laws and regulations that apply in the territories in which you operate and/or data is held.
For example, if you are sending personal data outside the European Economic Area (EEA) you are required to comply with Principle 8 of the UK Data Protection Act, which states: “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
More on cloud storage
- Cloud storage creeps up the enterprise agenda
- Nirvanix failure – a blow to the cloud storage model?
- What to look for in a cloud storage provider
- Enterprise cloud storage finds success, but cost concerns still live
- Cloud-integrated storage appliances link on-premises storage to cloud
- Caveat emptor now applies to your cloud storage provider
Furthermore, you will be subject to the local laws of the country in which your service provider is based and of the country in which your data is stored. You can be prosecuted under these laws even if you just make use of a datacentre in a European country.
Another example is the 2001 USA Patriot Act, which states that data stored in the US or UK, by any company headquartered in the US, is subject to access by federal authorities. This includes financial information and emails.
The key thing to take away here is that before sending personal data off to be stored or managed by any third-party provider, you have to know where it is being stored and how it is protected. In other words, you need to conduct a cloud complianceaudit.
As an organisation you are data controller and even though you outsource the storage process to a cloud provider, responsibility for it still belongs to you.
A cloud compliance audit should include a review of policies and procedures that the cloud storage provider applies to your data, the technical solutions in place to protect your data, and the skills of technical or business staff responsible for your data. You may also want to physically audit the datacentre where your data is stored.
In short, you should know everything that happens to your data, just as if you stored it on your own premises, so that you don’t fall foul of data protection laws and regulations.
Kingsley Eley is principal consultant at GlassHouse Technologies (UK). For more information, visit GlassHouse.com and the GlassHouse blog for expert commentary on key datacentre issues, and follow us on Twitter @GlassHouse_Tech.
This was first published in November 2013