By Frank Rankin
For when you first begin to undertake it, all that you find is a darkness, a sort of cloud of unknowing; you cannot tell what it is…
The Cloude of Unknowynge, Anonymous, 14th Century
When it comes to IT, “Cloud” is still a scary word for many organisations. The language doesn’t help – “Cloud” suggests an arrangement that is (literally) nebulous rather than the mature industry expected to be worth almost 200 billion dollars per year by the end of the decade[i]. The apprehension is largely expressed in terms of concerns around the robustness of security (let’s call those Principle 7 concerns) and the suspicion that cloud providers will store data willy-nilly on data servers in far-off, none-European lands (we’ll call those Principle 8 concerns). But often these concerns are raised without real attempts to explore what these are or look at the solutions and controls offered by cloud providers and others.
To be clear of our terms, let’s borrow from the US government definition: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” [ii]
In other words, computing capacity is purchased as a commodity with the supplier, in contrast to an organisation purchasing and managing its own servers or software. And that means a transfer of controls.
Models of cloud computing range from Software as a Service (SaaS) such as Office 365 and Google Docs, through Platform as a Service (PaaS) to Infrastructure as a Service (IaaS) where the purchaser buys virtualized capacity and runs its own software.
Depending on the flavour of Cloud service being used, the scale of that transfer of controls varies as the diagram below illustrates.
From Cloud Security and Privacy by Mather and Kumaraswamy
And it is that transfer that is a source of nervousness for organisations. But it needn’t be. The cloud providers have invested heavily in information security and see good security as a market differentiator. Vendors such as Microsoft and Amazon Web Services advertise their certification to ISO27001:2013 and other national and international standards, and provide (within reason) detailed descriptions of their security arrangements. It is up to the purchaser of cloud services to make our own risk assessment with regard to our information assets, and assess the adequacy of the offerings of the cloud vendors.
While using cloud does involve the transfer of controls, we should be honest enough to recognise whether this is likely to offer an improvement in the efficacy of those controls. To take one example, your own IT colleagues may be good and conscientious at applying software patches and updates, but it is unlikely that they can respond as timeously and consistently as the big cloud providers.
In making our assessments, we can be guided by resources such as the UK Government Cloud Security Principles against which suppliers listed on the G-Cloud are expected to self-assess.
Where the purchaser sees a need for further security controls in addition to the out-of-the-box cloud offerings, there is an extensive eco-system of third party vendors who specialise in add-on solutions for security, records management and other governance challenges around the cloud.
As long as the transfer of control is done transparently, and an organisation has clearly mapped out the locus for each required security control (on premise, core cloud offering or third-party solution) then you should be in a good position to assure yourself of the ongoing robustness of your information security on the cloud.
So much for Principle 7 of the Data Protection Act 1998.
The data protection concerns relate to the globalised nature of cloud provision. Perhaps in the early stages, the big cloud players in the USA didn’t always “get” European privacy concerns.
But the cloud providers have matured in their understanding of these issues. That is why, for example, Microsoft offer European customers guarantees that their Office 365 or Azure solutions will be hosted within Europe (Dublin and Amsterdam at the moment with a U.K. data centre due to open shortly.) The larger vendors, such as Amazon, are happy to provide European customers with data processing agreements which incorporate the Model Clauses, and in some cases have received Article 29 Working Party approval of their contractual terms.
Think of the relationship between cloud customer and vendor as just like any of your existing relationships between data controller and data processor – only on a larger scope and scale.
And the shift in the EU General Data Protection Regulation (GDPR) (I am not going into Brexit here, but our GDPR expert has explained here, GDPR is still relevant post-Brexit) where data processors will be liable for data processing actions they take which go against or beyond the instructions of the data controller should only increase the level of assurance for European cloud purchasers. (More on the security requirements of GDPR here.)
A risk-based approach to assess the offerings of a cloud vendor should give assurance that the requirements of Principle 8 of the Data Protection Act 1998 are met.
Act Now is not in the business of promoting cloud providers – they do a good enough job of that themselves. But concerns around data protection and information security need not be a barrier to adopting cloud-based technology. Colleagues or stakeholders who argue that these issues are show-stoppers may have an incomplete understanding of the current state of play, or may have another agenda in mind.
So, in considering transferring information assets to the cloud, information governance practitioners should:
- Carry out an information risk assessment, including a realistic understanding of threats and identifying the possible risks arising from keeping the data on the premises.
- Make sure that information governance and security issues are “front-loaded” and made central to the procurement process: Many of the key controls and protection for the organisation have to be in the terms of the contract.
- Understand the geographical location of the provider’s data centres and, where relevant, include contractual terms stating where your data must be held.
- Survey the available third party security and governance add-on tools for cloud, but be wary of the vendors claims and measure the value of their offerings against a realistic understanding of your specific risks.
Ultimately, whether to move to the cloud or not will be a decision for the wider business, but privacy and information security professionals can help to make that decision an informed one.
Frank Rankin is an information security, FOI and records management expert. Amongst other courses he is currently delivering our Practitioner Certificate in Freedom of Information (Scotland).