We have heard that one of the risks of cloud computing is protecting the privacy and data confidentiality. Many think that if we store our data within Australia it is safe. This is a simplistic assumption.
There are two aspects to the data confidentiality risk:
1. Can any other country access our data legally, but without our knowledge?
2. Can any other party, illegally access our data?
In this blog, I will deal with the first question.
Can any other country access our data legally, but without our knowledge?
The answer is a “qualified YES”.
Another country can access the data, depending upon where the legal jurisdiction of the contract and/or the location of head office of the Cloud Service Provider (CSP).
Let us take the example. Microsoft had announced in that even though the data center is located in Europe, it will need to comply with US Patriot act. It means that if the US Government requests for any private data of European customers, Microsoft has to comply with that request.
What can you do about it?
There are two ways in which you can tackle this issue.
- Legal means
- Technical means
When you are finalizing the cloud services contract include an explicit clause in the contract about disclosure. The clause can be in the lines of:
” Where a Cloud Service Provider (CSP) is required to disclose the Confidential Information of the Cloud Service Subscriber (CSS) pursuant to the order of a court or government agency, the CSP shall
- Notify the CSS
- Limit the extent of disclosure legally permissible
- Cooperate with CSS if they decide to legally contest the request”
(adapted from the book: Contracting for cloud services, Government Training Inc)
Including a legal clause will give some peace of mind to you as CSS and make your legal team happy.
In addition to the legal clause, it is possible to ensure that the organization is aware a request to disclose confidential data by choosing an encryption service.
For example, let us take the example of Canada’s New Democratic Party (NDP). It uses cloud service provider, SalesForce.com for tracking the voter details. As SalesForce.com is a US based provider, they have to comply with the Patriot act.
To control and govern the data NDP went for a third party encryption solution. It ensures that only they can unlock the scrambled data. They chose to go with the new entrant CipherCloud. (www.ciphercloud.com).
Ciphercloud’s solution is shown below:
Since NDP control the key to encryption, if US government needs to access a confidential data they have to request NDP. They may choose to comply, but they are ensuring that they are complying with Canada’s privacy laws.
So, does it mean if Australian company (with registered head office in Australia) has a local data center, you do not have any issues? Still you have the issue of any party illegally hacking the data. The can hack the data “in rest” or “in transit”. In summary, consider the following aspects while evaluating a cloud service provider.
- Head office of the company
- Legal jurisdiction of the contract
- Physical location of the primary data center
- Physical location of the backup data center
- Data security when the data is “at rest”
Data security when the data is “transit”