Compliance & Data Protection in the Cloud

 Users of cloud enabled solutions that hold personal or sensitive data must ensure that it is secure and protected from unauthorised use. The fundamental requirements are no different from the requirements relating to paper based data or data held on a proprietary IT infrastructure from a regulatory and good business practice perspective.

The perceived and sometimes actual issue is that data you have acquired and are responsible for is now stored by a 3rd party located outside your proprietary infrastructure and to a significant degree outside your control.

Brokerprove is developed with the latest technology using IT and Cloud best practices.

What is the Cloud?

Think of the cloud as a set of IT resources that you can access and use which do not reside on your premises or within your IT infrastructure. You and even perhaps your cloud provider may not even know specifically where the data resides, unless you have a specific agreement when you set up a Cloud based service. You may retain control of who has access or direct your Cloud provider to manage your authorized access. For those of you who remember the Data Centre, the cloud is analogous to a Data Centre. You are probably a user of cloud based services already such as Google mail, Google Apps, Microsoft Office 365 as examples. There are many advantages of using a cloud-based service but the one that has most resonance is you pay for what you need and use on a rental model, rather than incur high capital or setup and maintenance costs for a proprietary IT environment. There are two types of Clouds: Private and Public. Private is a solution that is exclusively dedicated to your organization and authorized stakeholders, Public is where the cloud provider resources may be shared across many of their customers.

There are three main ways of using cloud services and there are many reputable suppliers for each:

Infrastructure as a Service (IaaS)In this scenario you use the hardware (server, storage, networks) and operating systems from your provider. You are responsible for and have complete control over all aspects of the software and data you develop and/or install and use in the environment. (Examples of providers include Microsoft, IBM, HP, Amazon and many more small and large).Platform as a Service (PaaS)This scenario is similar to IaaS above but in addition you also rent your software development environment and manage and control that environment. (Examples of providers include Google, Amazon and Microsoft Azure are some examples).Software as a Service (SaaS)

In this scenario you have everything provided to you by your cloud provider to host and operate your business application(s). All you do is configure the application for your business and control the data. (Examples include Salesforce.com, OmniBroker, Google mail, Office365 from Microsoft).

Data in the Cloud

In all the forms of Cloud Computing above, your data is unlikely to reside under your control, and therefore there is increased potential risk of accidental or malicious use of this data unless proper precautions are taken. It is not the intention of this paper to delve into every aspect of how to secure an infrastructure as this is adequately covered in earlier blogs and papers.

Protecting data in the Cloud and 3rd party providers.

There are two core functions when it comes to Data Protection:-

The Data Controller:-
The Data Control function in an organization is totally responsible for ensuring that adequate data security, processes, and data handling meets the local regulatory requirements and the needs of the specific organization, its business and its stakeholders when it comes to personal and sensitive data. They are responsible end to end for the use of this data from acquisition to permanent deletion.The Data Processor
The Data Processing function is that function that receives, analyses, manipulates and stores the data and this function also has a requirement to meet the security and protection needs of regulators and business stakeholders. The Data Controller has responsibility to ensure that the Data Processor carries out their functions in compliance, whether they are internal or external to the organization.In the context of this discussion our cloud provider (whether a Public or Private Cloud solution is provided) is the Data Processor.

You as the customer (Data Controller) must address the following three areas:-

  1. Security: You must satisfy yourself that the cloud service provider has adequate security physical and virtual that meet your business/organisations needs and the needs of the local data protection regulatory agency, however so prescribed.
  2. Jurisdiction: You must also confirm that the jurisdiction the data is held is acceptable to the local regulatory and your business/organisations requirements.
  3. Contracts: You must have in place an adequate contract with your cloud provider that meets the requirements of you as a Data Controller and addresses data security and regulatory needs.

How do I address the Security, Jurisdiction, and Contract Requirements relating to my provider?

  1. Security: This is really no different to looking at your own internal security requirements; the level of activity and investment you make will be dependent on the context, the supplier and the jurisdiction.
    1. Does the supplier have independent international security standards certification that are acceptable to you?
    2. Is the supplier of a Brand, Scale and Reputation that gives you high confidence?
    3. If the answer to A and B above is yes then your Data Controller might just complete a site visit or audit coupled with reference checking before proceeding to contract.
    4. If the answer to either A or B above is no, then a full vendor procurement assessment should be completed, which should include a detailed assessment and inspection of their physical and virtual IT security as part of the process.
  2. Jurisdiction: Your clients, stakeholders and/or local regulators may be very specific about Jurisdiction where data is recorded and processed. Some considerations are as follows:-
    1. You should establish the exact physical location(s) in which your data may be processed or reside, these would include primary data, copies, Backups and disaster recovery sites to ensure they are compliant.
    2. You may want carry out an environmental assessment for the location covering the usual Political, Technical, Social, Cultural stability etc.
  3. Contracts: You must ensure that you have an adequate contract with your supplier which covers all your normal requirements but has explicit clauses on security, Jurisdiction and compliance relating to Data Protection. In particular the EU has a Model Contract which provides a template for EU compliance that can be used and it is mandatory for compliance if using a provider who will process/store data outside the EEA Zone. In practice the the clearest solution is often to ensure the data is held in your own home country.

Pragmatism and Gotchas with Data Protection

The most important thing is within your organization is that culturally Data Protection is taken seriously and competent resources are dedicated to protecting your precious data and reputation. Do not be surprised if you or your staff are already using Cloud services where you have not considered some of the guidelines above; the chances are that you are compliant, but you should check it out anyway. Remember in some jurisdictions there is legislation that restricts where data can be located and how it is located and also gives liberal powers to state agencies to access any data.

Finally if you use a service that includes Digiproves patented technology process then you have an added layer of protection that enables you or any authorized 3rd party validate the provenance, integrity and authenticity of any digital data you store or process in the cloud.