Information Age: News, analysis & insight for IT & business leaders

A report from Information Age's Cloud Security 2011 conference, including three cloud security case studies

If there is one thing that IT industry analysts can agree on, it is that the adoption of cloud computing is set to grow. They may differ on the pace of that growth, and which cloud model will grow the fastest, but all agree that more and more business data will in future be stored, transacted and processed in cloud environments.

 Besides the benefits to scalability and resource allocation that this entails, it also means that the ecosystem of business data is about to get more complex by an order of magnitude.

Today, a business can be reasonably sure that the data it cares about is stored in IT systems operated by itself, by its partners or by its suppliers.

Such is the nature of the cloud computing ecosystem, however, that the business may soon be using a software-as-a service application from one provider, built on a platform-as-a-service offering from another, which in turn is based on infrastructure-as-a-service delivered by a third.

This complicates the essential matter of knowing where one’s data resides, and in exactly what kind of technical environment.

It is therefore incumbent upon all IT professionals, whether or not their current employer is pursuing a cloud computing strategy, to understand the legal, technical and organisational security issues associated with the technology. These issues were the subject of Information Age’s Cloud Security 2011 conference in October.

From a legal perspective, the location of data and data centres is the key issue in cloud computing, explained keynote speaker Rosemary Jay, senior attorney at law firm Hunton and Williams’s privacy and information management practice.

Most of the big-name cloud providers now offer services from within the EU, which removes many of the legal concerns for UK companies wishing to use public cloud services. If a company wants an individual guarantee that data will never move outside the EU, however, cloud providers are not always cooperative, Jay said.

“If you are trying persuade Google to only locate your data in the European Economic Area, it’s much easier if you are a big customer with commercial muscle,” she explained.

A common concern among clients, Jay says, is the impact of the Patriot Act, which allows US authorities to access data held by any US-owned corporation. Technically, this clashes with the EU’s Data Protection Directive, which asserts that third parties cannot access customer data without their consent.

Jay said this is often over-played, as most businesses are unlikely ever to be the subject of a national security investigation. “Why would they be interested in your data?” she remarked.

A more valid concern is the growing complexity of the cloud ecosystem. In a multi-vendor cloud environment, multiple different parties may be defined as the ‘data processor’, in legal terms, but the role of ‘data controller’, and therefore ultimate responsibility for the data, remains with the customer. Jay therefore advised that companies seek individual agreements with each ‘data processor’ in the cloud service supply chain.

She reminded delegates that businesses are bound not only by the law, but also by the agreements they have made with customers, such as privacy and data protection policies. This can be problematic, Jay explained, as these are often designed with commercial, not legal, interest in mind.

“Sometimes, I see data protection clauses that make me think they were written by the marketing department,” she said. “You see phrases like, ‘We will cherish your data,’ cropping up, which are meaningless.”

NEXT>> Due diligence in selecting a cloud provider