Data security – encrypt and risk assess

When every Government around the world is as much a possible enemy as any cyber-criminal or arch business competitor, keeping cloud services and data secure is still a function of maintaining the basics – good (non-public key) encryption, good user authentication and a proper risk assessment of the data itself

  • 10 years ago Posted in

The law and its relationship to the cloud is still in its infancy, and already subject to some interventions and interaction with Governments around the world that were probably not part of the original concepts that brought the technology into existence. But, at a seminar run by the Cloud Industry Forum (CIF) at the London offices of legal firm, Hogan Lovells International, it became clear that, while that legal relationship is at best `edgy’, it is also possible for businesses to take steps to protect themselves more than many currently do.

This is a subject that can, in simplistic terms at least, be divided into two parts: the interventions of governments and politics in general, and the actions businesses can take. And when it comes to the actions of governments, there is of course much to discuss.

For a start there is the European Community, which is taking a keen interest in cloud computing and the potential benefits it can bring to the Community countries and businesses. There are in fact signs here that the European Commission may be looking to introduce what might be called a less-potentially-damaging approach to the subject.

CIF chairman, Dr Richard Sykes, summed up the traditional European response to such problems as “launching `Le Grande Projet’ that costs billions and takes years to implement.” He suggested that the CIF Code of Practice is a much better solution.

According to Ben Jaffey, a Barrister with Blackstone Chambers, the cloud has contributed to helping Governments use the Internet for surveillance purposes. He observed that the two main approaches used by US authorities are the PRISM surveillance program and the tapping of communications cables. 

Our own GCHQ is not immune. It has, for example, the right to intercept emails and other communications for economic espionage that favours UK businesses. It also collects mobile and WiFi information over London, using a fleet of planes based at Northolt, so long as the calls 'appear' to come from overseas.

“The key trick is hiding in plain sight,” he said. “There is blanket collection and interception, there is metadata retention, and content retention. The US government also taking steps to weaken encryption capabilities. The consequences are Balkanisation, and damage to the cloud business model as Governments are less likely to really use it. The Balkanisation is already happening, with the US Safe Harbour regime and German data sovereignty regulations as examples.”

He also suggested that Treaties between nations are often of little value when it comes to Internet and cloud security as treaty obligations tend to be ignored by national surveillance operations in order to obtain the information they want.

“This does mean that privileged legal information can be leaked, as in the case of the Campaign Against Arms Trade (CAAT) vs BAe case in 2007. BAe was given a copy of the legal advice given to CAAT by its legal counsel,” he said.

When even Governments can appear to be at least as much of an enemy as any business competitor, the question then becomes one of what actions can be taken by any business in order to protect itself.

Jaffey was clear about one important step, and that is to use local encryption at all times. If at all possible, it should also be a company specific, private encryption with the key held by a responsible executive in that company. This is because Public Key systems have to be considered as probably compromised.

According to Dr Simon Rice, Principal Policy Adviser at the UK Information Commissioner’s Office, another important step is that every business should undertake a risk assessment of its data.  The basic question is whether the data the business feels it wants to store in the cloud is the right data for that process. And one of the important baseline tests is whether it contains personal information or not. A good deal of data will be quite safe in the cloud because it has no value to either business rivals or criminals.

He also suggested that, with the rise of the Bring Your Own Device movement, user authentication processes need to be toughened up. No business, he suggested, should now be relying on just a user name and password to authenticate users and grant them access to the system.

He too referred to the need to ensure data is encrypted, referencing the loss last year of two backup tapes by Shopacheck. They were unencrypted and contained personal data on 1.4 million customers.

“Companies must remember that the data controller role cannot be outsourced and the organisation must retain control over the data and processing,” he said. “This also applies to using public cloud service providers which normally do the processing too.”

He did suggest that there are some important benefits in using cloud services, with perhaps the most important being the fact that service providers will be able to provide better security than many businesses can afford.

And for many established business, much of what is considered new territory that comes with the cloud is, in many ways, nothing that new. In his view, there is a close similarity in data protection in the cloud compared to what has been the norm for years.

One of the common concerns potential cloud services users have is where their data will be stored. But as Jaffey observed, both users and the law puts too much attention on where data is stored, rather than where it has been or where it is going.

The key issue here, as he had already observed, is that data is at its most vulnerable when it is in transit, for that is when it is passing through communications cables that can be tapped. The problem here is that the data will travel the most convenient route for the telecoms network, which will often not be the obvious direct route. It can therefore end up passing through any country in the world.

Unencrypted data moving in that way, when tapping communications channels seems to be de rigeur surveillance procedure for most Governments and other organisations these days, will always be at its greatest risk.

According to Hogan-Lovells’ Conor Ward, it may be necessary to alsob e circumspect about what data is sent to overseas subsidiaries, especially when they are in the USA, as legislation there can leave the subsidiary obliged to comply with requests for access to such information. The cloud can make this situation trickier as collaborations and partnerships can create multiple layers of partners participating in a project or contract. If one of them is subject to such an obligation, confidential information from other partners could well become available for scrutiny as well.

The European Union strategy on promoting cloud services will play a part in further data protection processes, though not by regulation. According to Ken Ducatel, Head of Unit for Software, Services and Cloud at the European Commission, the European cloud computing strategy will hinge around key actions such as cutting through technical standards, developing fair and safe contract terms, and building a European cloud partnership to drive innovation and growth from the public sector.

The main approach with these actions is to build `reference models’ that both users and vendors can then apply to their business relationships, rather than to pitch at creating regulations that are legislated into law.

Just about all these reference models are still at the draft stage, but include a standards map that outlines the standards that are important to workable cloud computing, a list of certification schemes, a model for cloud service level agreements, a data protection code of conduct, and thed formation of a cloud contract group.

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.