Our website makes use of cookies like most of the websites. In order to deliver a personalised, responsive and improved experience, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. These cookies are completely safe and secure and will never contain any sensitive information. By clicking continue here, you give your consent to the use of cookies by our website.

Friday, 05 June 2015 00:11

5 essential criteria for maintaining data security and privacy in the cloud

Posted By  John Godwin

Government cloud expert John Godwin looks at the five key points that will help organisations navigate and understand privacy and data security issues

Post-Snowden, there has been growing concern about data security and privacy. Most organisations feel more comfortable if they have absolute control over their data even if, in reality, it’s less secure. However, the cloud market continues to evolve rapidly, with many providers offering highly secure services, some with the data being held locally (for example in the UK). The most recent iteration of the G-Cloud Framework, G-Cloud 6, is the first to use the Government’s 14 cloud security principles to enable buyers to assess the security of suppliers’ services, which has helped to allay any undue reservations when it comes to the security implications of moving to the cloud. 

Our recent report, ‘How Safe is Your Data?’ highlights the five main points that will help organisations to navigate and understand data security and privacy issues.

1.       Breaching the Data Security Protection Act (DPA)

Organisations need to be confident that their supplier is providing adequate legal protection for their customers’ sensitive personal data or they may risk legal action. Data controllers must put prewritten contracts in place with their data processors, setting out what that data processor may or may not do with the personal data entrusted to them, including the specific security measures that should be taken to safeguard the data.

As an example, G-Cloud suppliers must not pass the data that an organisation controls to third parties, including sub-contractors, without that organisation’s written consent. Doing so would be a breach of the DPA leading to fines of up to £500,000, criminal proceedings and significant reputational damage.

2.       Responsibility for validating suppliers’ security statements

With the introduction of the Government Security Classification Policy (GSCP), the former CESG Pan Government Accreditation service cannot be relied on to validate whether a supplier’s IT systems will properly protect an organisation’s data. It’s now up to the organisation to make that assessment.

Buyers should look for suppliers who use security-accredited personnel for data processing activities, are UK-registered companies that keep data within the UK only and who process data according to the DPA and the lawful instructions of the data controller.

3.       Safe Harbor isn’t safe

In the wake of Edward Snowden’s PRISM revelations, the voluntary EU-US agreement, protecting EU data from the US Patriot Act is now irrelevant. Legislation such as FISA (Foreign Intelligence Surveillance Act) allows the US Government the right to force a US company such as Microsoft to hand over customer emails which reside on Microsoft servers in Ireland, without informing affected customers.

A supplier who is registered in the UK, is not a subsidiary of an overseas company, has physical premises in the UK and will keep the data in the UK, will provide the strongest protection against PRISM, FISA or any foreign government legislations.

4.       Data disclosure is a global issue

Between January and June 2014 Microsoft received more than 34,000 law enforcement requests from 68 countries, relating to more than 58,000 accounts. They released at least some data in response to over 75% of these requests. As an enterprise, it’s important to know the geographical location in which the supplier will store and process data.

5.       Growing trend to keep data sovereign

Our own recent research found that over 80% of the peers and almost 100% of the MPs we surveyed agreed that the UK provides adequate protection for processing public sector data, while the majority viewed off shoring as the greatest obstacle to cloud adoption. More than half of MPs polled also agreed that UK public sector data should be securely processed in the UK.

The European General Data Protection Regulation (GDPR) which becomes law in 2017 and will replace the UK DPA, aims to harmonise European data protection and make Europe a safe place to store data by placing more emphasis on individual rights and increasing transparency.

As more organisations transition to the cloud, the need to protect sensitive citizen data from not only hackers, but foreign governments is a must. Organisations interested in transitioning data to the cloud or hiring a supplier to store customer data need to factor in data protection legislation both at home and overseas, as well as understanding the geographical location in which the data will be stored. Keeping data securely located in an organisation’s home country, entrusted to a supplier from the same nation which is tasked with keeping data sovereign, is the best way to mitigate data security and privacy issues.

About the author

John Godwin, Head of Compliance and Information Assurance at Skyscape Cloud Services has more than 20 years’ experience in the implementation and operation of ISO Management Systems.

John is a Lead Auditor, Member of Business Continuity Institute (MBCI), Member of the Institute of IT Service Management (MISM), on the TechUK Cyber Security Group Committee and holds the Professional Credential from the Global priSM Institute (PSM).

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

IBM skyscraper2

datazen side

Most Read Articles