Security in the Cloud

By the end of reading this blog you should be able to:

Understand the legislation that has previously been put in place to protect cloud consumer data
Be aware of recent events that have shaken up security in the cloud computing industry
Learn about the actions that are in progress and will be put in to place within the next couple of years to protect cloud consumers

Previous legislation

Firstly, the ‘Safe Harbor’ scheme was set up to allow personal data to be transferred securely from the EU to the U.S. where a previously screened company joins the U.S.-EU Safe Harbor Scheme.

Then, with the emergence and growth of e-commerce over previous years, http:// morphed into https: // (the “s” stands for secure) to give consumers and businesses an added degree of confidence in e-commerce transactions.

In addition to this, The Data Protection Act 1998 (an act of British Parliament), and the Consumer Privacy Bill of Rights (Obama administration, US government) were put in to place to protect businesses and consumers against credit fraud and identity theft. Both acts ensure that personal data is accurate, will be held securely, and is only used for its intended purposes at the time of (authorized) collection.

The Edward Snowden leaks

However, the leaking of classified documents in 2013 detailing the data collection activities of the U.S. National Security Agency reignited some long-standing concerns about the vulnerability of enterprise data stored in the cloud.

NSA successfully hacked right through Google, Yahoo’s and Twitter’s Cloud infrastructure, raising concerns about the security of consumer information processed and stored in the cloud.

With an industry clearly rife with ‘grey areas,’ it is understandable that cloud consumers are demanding greater cloud security. The aftermath of the NSA spy programs in the Edward Snowden leaks is driving some long overdue changes in enterprise and service provider security and privacy policies. The realization that it is now finally time to upgrade all legislation to create more strident regulations, in order to protect cloud consumers and meet their demands, has commenced.

Emerging actions to keep an eye out for in 2014-2015

The European Cloud Partnership (ECP) is in the process of being formed which will codify the location of data, decide who owns digital content, and establish equitable and transparent rules for accessing data.
Cloud service providers will have the option of becoming certified giving consumers a valuable means for determining which CSP they will choose as their provider.
The EU’s proposed Data Protection Regulation will come in to place in 2015 and apply to European businesses, businesses outside the EU that have personal data on EU citizens, cloud providers in the EU and those outside the EU. It is to be mainly aimed at tech and social media companies giving individuals a “Right to be Forgotten” by requesting that their personal data be deleted. Non-compliance with the regulation will result in a fine of up to 5% of the business provider’s annual worldwide turnover or €100 million.
The questionable ‘Safe Harbor’ scheme will be reformed or suspended. As a result, Cloud providers will look at alternative international data transfer solutions, such as Binding Corporate Rules, where a company adopts a global privacy policy that meets EU standards and is approved by relevant EU Data Protection Authorities (“DPAs”).
European Commission proposed the NIS directive after the UK Government ranked cyber security as a Tier 1 threat to national security, equal with terrorism. In line with regulations set by the NIS directive, Cloud providers will have to assess the risks they face, adopt appropriate measures to ensure network information security and to report to the competent authorities any incidents seriously compromising their networks and information systems.