Cloud Compliance: Is the Cloud Keeping your Data Private?

Cloud Compliance: Is the Cloud Keeping your Data Private?

Tuesday, June 25, 2013 | Staff Writer

Public cloud computing, convenient and cost-saving, has replaced the large, on-site server rooms usually relied upon by companies. Data once saved in server rooms is stored in data centres often far from the company site, managed by a cloud provider that secures and protects the data.

But at what point can convenience lead to privacy invasions?

Data storage and transmission falls under a number of laws that vary by each country or region. Data stored off-premise may fall under different rules than data stored on-premise, especially if the centre keeping that data is part of a multi-national storage solution.

"When data is stored on-premise, as it is with the traditional data centre model, an organisation has complete control over where the data sits at rest, how the data is stored, and who has access to the data,” Alan Murphy wrote for Forbes in January of last year.

The European Union’s Safe Harbor laws deem that United States companies that sign up for the Safe Harbor list must prove they can provide "adequate” protection for personal data before they are allowed to exchange data with EU companies. Regardless of the Safe Harbor law, however, the data is still vulnerable to the USA PATRIOT Act, and may be intercepted and acquired by the US government for "counter-terrorism” purposes.

This inequality in legal protection of data between the EU and the US could lead to egregious data privacy concerns for companies that require absolute guarantee of data privacy, especially since many of the large, US-based cloud providers, such as Google, refuse to comment on data centre practices.

[ Related White Paper: How Virtual Data Centres Transform IT's Ability to Add Value]

Concerns Across Boundaries

In a case study by ZDnet, author Zack Whittaker noted that, despite Safe Harbor laws, the Information Commissioner’s Office in the UK published "cautionary words of advice” regarding the outsourcing of data to non-European Economic Area member state countries—including the US.

Some companies work with EU subsidiaries of Google and Microsoft for their cloud services, ensuring that their data remains in data centres within the EU and are under EU law instead of US law. However, according to the ICO, even EU based, wholly-owned subsidiary companies are vulnerable to the USA PATRIOT Act.

"The USA PATRIOT Act could be used to get EU-sourced information from a U.S. company,” an ICO official said in the case study. "If the US company approached the EU company with a request for the information, then the EU company would have to consider whether to disclose the data."

According to the case study, these subsidiaries, while wholly-owned and controlled in the EU, would still be required to comply with their US parent organisations and may have to disclose data that would then be under jurisdiction of the Patriot Act.

But it doesn’t stop there. According to the case study, companies like Google and Microsoft cannot guarantee "that data supplied by EU customers and housed in datacentres on European soil will not leave the European Economic Area under any circumstances.”

Is it at all possible, then, to ensure complete data privacy for your company?

In all, cloud computing is still largely in its infancy concerning legislation. Luckily, a number of workarounds and solutions exist that won’t hamper the usefulness of cloud storage.

A simple solution is to choose a cloud provider whose data centres are located within the geographical territories that you specify. Some providers own their own networks as well as data centres, ensuring that they know not only where the data is held, cut can control access to it as its on their own network.

Encryption and tokened-reference systems have also been proposed solutions (so long as encryption keys and references stay off the cloud).

If data privacy is less of a concern, Google and Microsoft’s cloud offerings are certainly viable options for cloud applications. If keeping your data airtight is a priority, consider looking beyond the gloss and ask some searching questions.

Questions To Ask Your Cloud Provider

For EU companies especially, asking questions and staying informed will help ensure the privacy of your data.

  • Is cloud computing the core business of the cloud service provider?

  • Who owns and controls the data centres where our data will be stored?

  • Where are these data centres located?

  • Can we specify which localities we want our data to reside in? eg Keep solely within the UK or within the European state?

  • Who owns and controls the network?

  • Is there any third-party / outsourcing involved in the contract?

  • Other than authorised personnel, who else can access your data?

  • Check the financial viability of the provider - there are some horror stories where providers have gone bankrupt and left their customers very concerned.


By addressing these questions, your organisation can ensure data privacy within the cloud, and remain viable even when data storage is off-premise.

Image courtesy of FutUndBiedl on Flickr.

  • Print
  • Send to a friend