Best practice for using cloud computing in Europe 2013 (Part 2)

by [Published on 16 Jan. 2013 / Last Updated on 16 Jan. 2013]

This article (part two) will focus on the final three principles of good information handling. These principles will cover the obligations on organisations for processing and storing data.

If you would like to read the first part in this article series please go to Best practice for using cloud computing in Europe 2013 (Part 1).

Introduction

Organisations are now using the cloud for processing and storage; petabytes of data is being indiscriminately stored in the cloud without the appropriate protection.

This article (part two) will focus on the final three principles of good information handling. These principles will cover the obligations on organisations for processing and storing data.

5. Information security

It’s important to be aware of the requirements regarding data security, what is expected from you as an organisation using, processing or storing data. To conform, organisations need to ensure that precautionary measures, physical, technical and managerial security, are in place to prevent the data that you are responsible for being compromised deliberately or accidently.

Steps Organisations should take:

  • Carry out a detailed risk assessment. Including areas such as staff numbers, the access staff have to data, access of data by third parties and third party security in place.
  • Design and manage your security with the nature of the information you process in mind, considering the consequences if a security breach where to occur. Each organisation would require security specific to their needs.
  • Assign an individual or group of individuals the responsibility of information security within the organisation. This way people are clear about their roles avoiding any confusion.
  • Set up robust physical and technical security and always maintain and manage this. Be ready to adapt as times and circumstances change.
  • Make sure that you have security policies in place, that they are followed and managed.
  • Ensure staffs are always up to date with the policies that are in place and that they are trained on the security procedures within the organisation.
  • Be aware of risk areas, have procedures and policies in place for the unfortunate event of a security breach so that the response is effective and prompt.
  • Have data recovery policies in place.
  • Assign an individual or group of individuals the authority to access, alter, disclose or destroy data. By doing this only those with authorisation have access to data thus making managing the data easier.

Advances in technology, including cloud computing have enabled organisations to process and share large amounts of data with ease. With the advantages of this comes the possibility of serious security risks as well. Cloud computing enables large amounts of data to be stored, processed and used however the numerous data storage points involved increase the risk of data being compromised, lost, misused or tampered with, if not secured correctly and in accordance with the data protection act.

When using a cloud service provider the security of the data in the cloud remains the responsibility of the organisation. It is important that all the security measures performed by the organisation itself be undertaken by the cloud service provider as well. It is the organisations responsibilities to ensure that the security offered by the cloud provider conforms to the organisations own security policies as well as the law, to ensure the safety of the data used, processed or stored in the cloud.

Steps that could be taken by the organisation when choosing an appropriate cloud service provider:

  • The cloud service provider should endorse the same if not better security policies compared with the organisation. The level of security you would allow the data if you were handling it, is also allowed by the cloud service provider.
  • The cloud service provider should provide sufficient guarantees regarding the security measures in place to protect the data being processed or stored on the organisations behalf.
  • The cloud provider needs to ensure that it has the necessary safeguards in place to avoid one organisation from gaining access to another’s personal data.
  • The organisation should take the necessary steps to ensure the security measures are being put to practice by the cloud service provider.
  • There should be a written contract between the organisation and the cloud service provider setting out the criteria for allowable data handling as well as setting out the security measures required to be in place and practiced.

In the unfortunate event of a security breach, despite all the security policies and measures in place a breach management plan should be set out by the organisation. The following elements are important and should be covered in the plan.

  • Containment:

Look at ways in which to limit the possible damage caused through the security breach.

  • Recovery:

Have a Recovery plan in place if a security breach were to occurk.

  • Risk assessment:

Assess the risks associated with the security breach, the possible consequences of the breach to individual’s involved directly or indirectly and the likelihood of theses consequences to develop to fruition.

  • Notification of the security breach:

In order to manage the incident it is essential that the individuals affected by the breach are informed along with the necessary legal entities.

  • Investigation and response:

Evaluate the cause of the breach and update or change your security policies and procedures as is necessary to avoid a future reoccurrence.

A closer look at securing information in the cloud

An important part in choosing a suitable cloud service provider is based on the security they offer.

Areas to investigate when choosing a cloud provider with security in mind:

  • Asses the guarantees offered by the cloud service provider with respect to accessibility, privacy and integrity. These guarantees need to show adequate technical and managerial security procedures and steps to compliance.
  • Undertake a security audit of the premises and services. Including physical, technical and managerial procedures in place. It’s essential to make sure that the security offered by the cloud provider will assist the organisation in complying with the data protection laws.
  • If the cloud service is layered, assurance must be sought after regarding the security procedures in place with regards to everyone involved in the processing of the data in the layered service.
  • The cloud provider must provide the organisation with up to date information regarding the security in place routinely.

Ways to protect your data in the cloud:

  • Encrypting the data before moving it to the cloud can ensure that only the authorised individual can view the data.
  • Encrypting the data in transit ensures that even if intercepted it is not readable to anyone without the key.
  • Encrypt data that is stored in the cloud.
  • If encryption is chosen as the technical measure to secure the data in the cloud its essential to have a vigorous key management system in place to ensure the keys are always secure.
  • Ensure that there are procedures in place to prevent unauthorised access to the data. Authentication would be useful.
  • An access management system is required to update, suspend, remove and reset user accounts when necessary.

6. Sending personal data outside the European Economic Area

The data protection act states that an organisation is not allowed to transfer data outside of the European Union unless the country has an adequate level of protection for processing of the data. The UK regards the European Union as having the adequate levels of protection for data and thus allows the processing of data within the EU.

This principle becomes a challenge when moving to cloud computing as a lot of the time the servers processing and storing your data are scattered all over the world.

As an organisation adopting cloud computing it is essential that you agree with your cloud service provider the locations of the servers to be sure you conform to the law in this aspect, keeping in mind that the security of the data is ultimately the organisations responsibility. It is important the cloud service provider you choose is reliable and has appropriate security in place.

When processing or storing information in servers outside of the EU you need to ensure the following:

  • There is an adequate level of protection equivalent or better than that of the EU
  • Have an understanding of the nature of the data being transferred, processed or stored ensuring that the protection offered for the nature of information and individuals is adequate
  • Have an understanding of how the data will be processed or used
  • Be knowledgeable of the laws or regulations of the country where the information is being processed or stored. Ensure the country has adopted data protection laws.
  • Ensure there is a means to guarantee that the protection standards are achieved in practice

The reliability of the cloud service is heavily based on the ability to use data centres located in various countries; this becomes an issue as a lot of the time it is difficult to distinguish where your data is being processed.

It is essential that the cloud customer/organisation find out the list of potential countries used by the cloud provider for processing of data and ensure that these countries have adequate security in line with the data regulation of the UK.

7. The conditions for processing

This principle explains the conditions that need to exist before you as an organisation can process personal data. If your organisation is already abiding by the first two principles the likelihood is that you have this one covered as well. If your reasons behind processing the data are fair and legal the conditions to process the data will be easier to determine.

At least one of the following conditions must be met when processing personal data:

  • Consent has been given by the data subject to process, use or store the data in the manner set out after having a clear understanding of how the data will be processed
  • The processing is necessary because of legal obligation
  • The processing is necessary to protect the individual or data subject interests
  • The processing is necessary for administering justice
  • The processing is necessary for the specific purpose to which the condition relates

8. Exemptions

Personal data sometimes needs to be disclosed for certain purposes. In these cases your organisation will be exempt from complying with some of the data protection principles with regards to an individual or the data subject’s rights. The organisation should be knowledgeable of the areas where exemption may take effect. Situations included for exemption are crime and taxation purposes, disclosures required by law and publicly available information to name a few.

Conclusion

Many organisations are choosing to move to cloud computing for various reasons. The cloud offers organisations an array of services and technologies to assist in everyday business and at a lower cost than if it were to be achieved in-house. However by processing and storing information in the cloud organisations may encounter risks regarding data protection that they were previously unaware of.

Prior to moving to the cloud, organisations in conjunction with their cloud provider should consider the eight data protection principles surrounding processing data to ensure that the storage and processing of data done in the cloud complies with the Data protection act. If organisations have a good understanding of the eight principles for good data handling it will assist in maintaining control of data in the cloud and acquire the trust of employees, clients and/or customers.

If you would like to read the first part in this article series please go to Best practice for using cloud computing in Europe 2013 (Part 1).

The Author — Ricky M. Magalhaes

Ricky M. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Ricky has over 16 years of experience in the security arena covering all ten domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, to many blue chip entities and forms part of the advisory boards to many organisations worldwide.

Latest Contributions

Advertisement

Featured Links