How to assess the security of a cloud service provider
As businesses continue to put more information online, understanding cloud suppliers and agreements has never been more important
As businesses continue to put more of their information online, understanding cloud suppliers and agreements has never been more important
As a user, when my iCloud, Google Drive, Dropbox, etc. synchronise, seemingly by magic, across my smartphone, tablet and laptop, I do not want to know how the cyber plumbing works. I leave all that to the IT professionals. But can I expect them to warn me if I am taking unreasonable risks?
Not really. If it is your own personal data then, in a way, it is your own choice if you want to put it at risk. But if you are storing personal data on behalf of an organisation, then the legal responsibility lies firmly with your organisation, and specifically your data controller, to get this right – the responsibility does not transfer to the service provider.
A data breach could leave you open to fines of up to £500,000 and prosecution by the Information Commissioner’s Office.
So why would you even consider using the cloud and cloud-based technologies?
Hidden complexities of cloud computing
Cloud services are a vital part of today's mobility – many of us now want to access any of our data from every one of our devices, all the time, wherever we are. To do this, data has moved off our personal devices into the cloud. All this complexity is hidden from the user, and the global nature of the market provides keen competition.
Costs for cloud-based services are, by and large, cheap, and in some cases the services are free at the point of use. Sounds too good to be true doesn’t it?
Whenever I am offered something that is free, especially when it comes to the cloud, understanding the business model has never been more important. I have decided that I am prepared to let Google harvest my internet activity in return for the benefit of my using Google Drive and similar cloud-based services. But does every user understand the choices they are making?
Data breach fines issued by the ICO
- ICO fines Glasgow City Council for loss of unencrypted laptops
- ICO issues £200,000 penalty for failed IT disposal
- ICO fines text spammers Tetrus Telecoms £440,000
- ICO hits Stoke-on-Trent City Council with £120,000 fine
- ICO hits Sony with £250,000 data breach penalty
- ICO issues £150,000 penalty, urging more care with personal data
- ICO fines Midlothian Council £140K for data breaches
- Croydon council handed £100,000 fine by ICO
With the complexity hidden from the user, data may be stored under foreign legal jurisdictions, potentially allowing governments and other organisations access to certain aspects of users’ personal lives. When was the last time you read and really understood the "end user licence agreement" before you clicked "I accept"?
For small businesses, how do they know their data is safe? Am I breaching data protection legislation if I put my company’s personnel data into the cloud? What happens to my data if the internet startup I contracted with goes out of business?
Assessing cloud security
There are a number of ways to assess the security of a cloud service provider, ranging from inspecting their premises to asking if the provider has any third-party certification or accreditation to back up the service contract, so here are a few things that are vital to do:
- Identify what type of cloud-based services you want
Really nail down the personal or business requirements – you do not want to end up getting the wrong service or paying for functionality you do not need;
- Identify who your data controller is
Organisations or businesses that are processing personal data must identify who their data controller is. Like it or not, this is the individual who will be legally held to account for the data, even if is in the cloud – yes, a problem shared is still your problem!
- Decide what level of information assurance your data requires
You need to assess the impact that the loss of that data will have on your business/individuals. That will determine the level of service required in terms of confidentiality (how much protection does the data need in transit and storage, for instance does it always need to be encrypted?); integrity (the more integrity a cloud service has, the more confident you can be that data will not be interfered with); and availability (how available do you want your data to be, e.g. instant access always?) These levels should all be stipulated very clearly in a written contract with a service level agreement.
- Check where your data is being stored
The Data Protection Act 1998 lists trusted areas as the European Economic Area (EEA), US companies party to the safe harbor agreement, and countries of "Adequacy" (details at www.ico.org.uk). For some of the larger cloud service suppliers who have 24/7 "follow-the-sun" operations, it could very well mean that the data is supported and thus processed from countries not falling into the three categories of trust outlined above, potentially putting your personal data at risk.
more on cloud security
- Why the cloud is not a security nightmare
- Enterprise security moving to the cloud, says Gartner
- Cloud: security threat or solution?
- Cloud security still top concern for UK CIOs, survey shows
- Six security issues to tackle before encrypting cloud data
Other things to check include data destruction on contract completion and/or data recovery on contract termination. The above is not exhaustive, but serves as a guide towards the minimum steps required to use cloud services safely.
Do not get me wrong – cloud is great! Many organisations and individuals could not work without it now. But like so many new ideas, the benefits are seen and warmly embraced before the risks are fully understood.
The IT industry has a duty of care to explain the benefits and the risks to users. A good starting point would be for those in the IT industry to set out some simple principles of what the user can expect from service providers so that users can understand the risks and then balance them against the benefits that cloud can undoubtedly deliver.
Andrew Fitzmaurice is chief executive of Templar Executives.