Cloud Security - Essentials Where is my data? article

Dear Readers,

below we present you the beta version of article "Where is my data" by Ian Moyse. You will also find this article in Hakin9s' issue devoted to Cloud Security Essentials that you can already pre-order!

Where Is My Data?

Cloud remains a hot subject and whether you love or loathe it, it’s not something you won’t have heard of or likely have had pushed your way.

Inevitably when considering cloud security questions arise and certainly in the light of the recent well publicised Prism publicity where the USA has been heavily cited for spying on data and much of it from outside the USA stretching into Europe and the UK. This has put emphasis on and raised awareness for UK businesses asking questions about and of cloud suppliers and rightly so.

A cloud provider should welcome such questions and be open to answering them in a straightforward and open manner and one could even say of openly promoting its wares and answers, expecting customers to ‘want to know’. However this is not the norm today. Many providers are hiding away the fact that they only host in the USA unless customers ask, some are positioning that they have a UK presence so that’s all okay and worst still some customers are not realising some of the implications of the answers they do possibly get and putting themselves in a precarious position.

Questions that should be at the forefront include where are your data centers, what happens to my data and how can I ensure the decision I am making does not expose us to risk. Blatantly ignoring cloud in today’s competitive environment is not a viable option and nor should it be. Cloud is disruptive and is changing the way we do many things, but its form factor inherently delivers us more choice and flexibility to service an ever demanding user base pushing for mobile device access, easier interfaces and rapid change.
There are a multitude of security areas that encroach on cloud solutions, varying based on whether you adopt a public, private or hybrid cloud approach and whether you use SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service).

Let’s focus on the most common platform in use Public cloud , Software as a Service (SaaS), expected to be worth 11 billion Euros in the next year according to Gartner (compared to expectations of 4.7 billion Euros for IaaS and 923 million Euros for PaaS).

Security in the Cloud should be approached and treated in a similar way as security in a physical shared environment, evaluating risks, the technology, the vendor and reputation although there are new areas to consider with cloud that typically have not come up when deploying product based solutions. If a company utilises cloud computing, its data will not be located within servers in its own office, it is therefore vital to know where that data is being held and who has access as well as what jurisdiction it is covered by.

When using a cloud provider you are likely to no longer be in exclusive control of your data and will not be deploying the technical, organisational and people measures to ensure the availability, integrity and confidentiality of the data stored. Data security and privacy are consistently reported as the top concerns and hindrances to cloud adoption as reported again in the most recent end user study from the Cloud Industry Forum (below).

Source : Cloud Industry Forum : Cloud adoption and trends for 2013

Trust in cloud is growing however and in fact, according to an Attenda survey amongst 100 CIOs and IT Directors, 87% of respondents stated that they have more trust in the cloud today compared with a couple of years ago. Whilst trust is growing concerns remain over data security, privacy and location.

There is much debate over the data issue and with varying opinions both legally, commercially and emotively. At the recent Cloud Computing World Forum a European Commission Director stated ‘that it shouldn’t really matter where Europe’s data is stored, as long as it’s secure and protected’. However the Attenda Survey found that 52% of Financial Services respondents still ranked the location of data as a top 3 barrier to moving business critical applications to a cloud environment, and it was even more important for the other commercial sectors where 76% of respondents ranked it as a top 3 concern. So the location of data remains one of the key hurdles in cloud adoption, particularly in regulated industries such as the finance sector and this is also extending across other commercial sectors such as Retail, Manufacturing, Transport and distribution.

There is much debate around data sovereignty and cloud providers have a responsibility to their users to provide clarity in this area. The question usually asked by customers is simply "where are your data centres?", but it needs to be closely followed by "Where will my data be stored?", "where will the backup and failover data be held?" and "are you a USA owned company?"

Assuming data will be stored in the local instance of datacentre you have been told about may not be the case.

This is best cited by the 2013 Salesforce announcement of plans for their 1st UK datacentre in 2014 followed by Steve Garnett, Salesforce's EMEA chairman stating in a Public interview that “UK customers will not necessarily end up in the UK data centre” “that the company would not be offering a service to relocate UK customers that are currently hosted in North America” and that UK customers who do go on the UK centre would be backed up to the North American data centre.

Meaning that existing UK customers stay where they are, new ones may or may not go on the UK location and certainly all will have at least their secondary data held in North America. All fair to share openly leaving customers to decide if this meets their needs, however how openly is this shared with customers Are new customers aware that currently all data goes to the USA and that even in the future it may not be all they may assume. Will this be openly stated on a web site up front for UK firms or shared with them openly and forthrightly as part of the sales engagement? Likely not as in today’s world of concern over ‘my data’ in the heightened awareness of Prism and other news articles customers are far more likely to feel comfort and preference for UK held data.

Understanding local and EU data legislation and any appropriate vertical legislations affecting your sector are key in making educated choices of what cloud platforms and vendors to consider and utilise.

Example considerations are the European Union’s Data Protection Directive of 1995 and the UK enacted Data Protection Act (DPA) of 1998. The EU directive requires all EU Member States to protect people's fundamental rights and freedoms and, in particular, their right to privacy with respect to the processing of personal data, which includes the storing of data. It also importantly directed that personal data should not be transferred to a country or territory outside the European Economic Area, except to countries which are deemed to provide an adequate level of protection

So there are a number of strict controls in place to ensure the protection of data however, business and IT managers need to ask vital questions about how and where data is stored in order to continue to comply with the European regulations and local data laws when utilising a cloud environment.

In the USA the Department of Commerce in 2000 created the Safe Harbor framework to ensure organisations put appropriate controls in place for the protection of data when handling European and UK companies data that may be stored in the USA (for example an American company who may have regional offices in the UK, France and Germany that keeps employee data such as employment, tax and personal details centrally in the USA). The Safe Harbor directives consist of seven rules that have been established specifically for US companies to comply with EU data storage directives.

The ‘safe-harbor’ approach, which allows for data on EU subjects to be moved out of the EU does not have the adoption you may think, even if you did decide it covers your needs. Many USA Cloud firms have not signed up to safe harbor and the liabilities that it might entail for them. So it’s important to assimilate two things; one does it give you the safety you want and two has the vendor your considering signed to it and is this reflected in your terms of service/license with them? Transfers to USA organizations adhering to the safe harbor principles can take place lawfully under EU law, since the recipient organisations are deemed to provide an adequate level of protection for the data.

There has been much discussion recently about storing data in the USA or with non European cloud firms, much driven after it was realised that the United States can use the Patriot Act to access European citizens' data without their consent. The Patriot act providing the ability for US Government and law enforcers to access foreign data stored on USA located servers as well as data held in the EU by USA based vendors

You may also hear of the ‘Article 29 Working Party’ which is an independent European advisory body on data protection and privacy issues made up as a committee of representatives from the 27 data protection authorities in EU member states. It analyses all relevant issues for cloud computing service providers operating in the European Economic Area (EEA). The Article 29 Working Party in July 2012 stated on cloud that companies exporting data to providers outside their local jurisdiction should not merely rely on the statement of the data importer claiming that they have a Safe Harbor certification. They recommend that the company exporting data should obtain evidence that the Safe Harbor self certifications exist and request evidence demonstrating that their principles are being complied with. The article 29 working party stated “Businesses that wish to use cloud services to store and process personal data must use providers that can ‘guarantee’ compliance with EU data protection laws” The Working Party’s conclusion appears to be that US Safe Harbor coverage is not robust enough on the basis that it alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by individual data protection authorities,

When using public clouds which are offered globally to a range of audiences from enterprise companies through to small businesses and consumers there is a risk of data leaving the EU without you knowing. You have the right to know if this may happen and where your data may be stored and the cloud provider should be open with you about this and give transparency so that you can make those educated choices.

Since the issues around USA stored cloud data and the Patriot Acts lack of alignment with the Safe Harbor principals came to light, European bodies have been revising and updating the data protection laws that apply to all 27 European member states and this is under review as this article is written. Outlined plans for change including amendments that may compel any non-European company with customers or clients within Europe to comply with European regulations, are expected during the next few years. It was stated that ‘the European Commission will come forward with proposals to reform the 1995 Data Protection Directive and in the next year or so we can expect an outcome of these actions. Recent discussion has also muted that these may even go as far as restricting firms to keeping data within the EU, although this is much argued as restricting European firms technological choice.

The other challenge that has highlighted the need for more legal clarity is whether the customer or the cloud provider is the data controller. The controller is the one who determines purposes and means of the processing of personal data. The Processor is the one who processes personal data on behalf of the Controller. Typically this means the customer is the controller, however due to the nature of the cloud computing environment the historical definitions can be unclear and such roles still often need to be determined on a case-by-case basis until legal clarity is brought to bear. Therefore it should be clear in a cloud providers service contract with you if you or they are acting as the Data Controller and thus have legal responsibility for the data held and processed in the elected cloud service. Data controllers are more responsible for data protection compliance than data processors.

In the majority of SaaS cases the customer will be seen as the Data Controller and the cloud service provider as the Data Processor. Therefore to remain on the right side of the Data Protection Act and EU laws the customer when moving their data outside of the EU (when using foreign and likely USA services) needs to ensure they have performed diligence and ensured adequate protection is in place to secure their own obligations as the data controller, for which company directors are liable.

For example a USA cloud service that is cheap and promises no contract to tie you in may seem attractive at first, but with no contract what terms are protecting your data, where and how are they holding, securing and protecting it and if asked how would you justify that you protected that data diligently when you have no contract to cite as to the terms it is held and protected by? Should anything happen to that provider or your data, an Information Commissioners office query on your data obligations would likely conclude negatively for you at the 1st base, finding you transferred customer data without due protection in place in form of a contract.

It is important to understand that you may be subject to the authority of the jurisdiction where your data and systems are hosted or where the parent company providing the hosting is from. If you want to make sure that you are compliant with local data laws and also doing right by your own clients whom you hold data on then you should be vigilant to understand where your data is ultimately held and whether or not the hosting entity is compliant with the appropriate local legislation that you require. New EU Data protection regulation could mean fines up to 2% of company turnover for data security breaches and with fines and data breaches being reported more diligently (see reported 2012 breaches as examples) evaluating your obligations around data security and sovereignty now, understanding them and any necessary actions is key.

It is your data that you are putting into the Cloud and according to the lawyers and the data protection laws it means that you are responsible for it. You are by default the data controller and must choose a cloud provider that guarantees compliance with data protection legislation. Microsoft, Google, Amazon, Salesforce and any other USA based organisation has to comply with local USA laws meaning that any data that is housed, stored or processed by a USA based company, is open to inspection and interception by USA authorities without notice or permission of a non USA company who has hosted their data in their systems.

In fact during Microsoft's Office 365 launch, Gordon Frazer, Managing Director of Microsoft UK, admitted exclusively to ZDNet that the Patriot Act can be invoked by U.S. law enforcement to access EU-stored data without consent. The managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US. While it would try to inform its customers before this should happen, it stated that it could not guarantee this. This means that if you do business with a UK subsidiary of a USA based cloud operator who is hosting your data in the UK and you specify that English law applies as well as operating under EU data protection laws, the FBI can still get access to your data. While this had already been suspected, this was the first clear affirmation and is true for any US-based cloud provider.

This could illustrate why in the Cloud Industry Forum 2012 Cloud Adoption outlook report that 47% of UK organisations wanted their data stored in the UK (this has likely increased now we have since seen a year of Prism news) This reflects a sense of national law being perceived as providing a higher level of comfort for users. In a separate public survey carried out by the Cloud Industry Forum of 5,800 individuals, 64 per cent had concern as to where data would be stored.

Cloud is too important a technological offering to ignore and whilst there are undoubtedly a number of considerations to address, none are insurmountable and the cloud technologies offer a great benefit when used in the right areas and for the right reasons. As cloud becomes more mature and providers more sophisticated there will be accelerated adoption and more consistent answers and clarity to questions from customers.

So what approach can and should you take in your security diligence to adopting a cloud solution in the area of data, sovereignty and privacy?

Gartner defined six rights of a cloud customer being;
- The right to retain ownership, use and control one's own data
- The right to SLAs that address liabilities, remediation and business outcomes
- The right to notification and choice about changes that affect the service consumer's business processes
- The right to understand the technical limitations or requirements of the service up front
- The right to know what security processes the provider follows.
- The responsibility to understand and adhere to software license requirements

These are a good start as a high level foundation and basis for what you should look to adhere to in adopting cloud services, possibly from vendors you have not dealt with previously. Businesses wishing to use cloud computing and concerned about data issues should conduct a risk analysis encompassing what data will be stored or pass through the cloud service, the importance and confidentiality of the relevant data, any relevant EU, local or industry segment data protection rules to be complied with and your own internal receptiveness to where data be stored and what comfort you require from the chosen cloud vendor.

All European Cloud providers should provide clients with all the necessary information to openly assess the relevant service, including clarity of where they will store the clients primary and backup data, which data laws will apply, who is deemed the data controller and what data liberation terms are in place to ensure easy retrieval and removal of your own data should/when you choose to exit the cloud service.

As a client you should select a Cloud provider that guarantees compliance with EU data protection legislation and many articles have suggested going further if dealing with a USA vendor. Suggestions include the recommendation that you should verify that the cloud provider will guarantee the lawfulness of any cross border international data transfers with your data. They go as far to suggesting you ask the USA vendor who is providing cloud services to you in the EU, to state clearly in their terms with you that "under no circumstances will the data you provide us leave the EEA, even from a request under the USA PATRIOT Act". Whether they will comply with your request or not you should ask for clarity on what contractual service terms they have to protect you and then make a decision on your businesses receptiveness as to whether those on offer are enough in relevance to the data type you will hold in their service.

Cloud is here to stay in all its forms and security whilst an important consideration is not a mandated prohibiter. As with any solutions there is diligence to be done and cloud is not inherently less secure and in many cases will be more secure than internally provisioned infrastructures. Well provisioned cloud services can deliver a range of great advantages including greater security, more resilience, ease of mobile user support, flexibility, reduced costs and a greater user experience. However as a business you need to understand your local responsibility as a data controller and ensure you have clear service contracts and SLA’s in place to bring you the protection you require to operate safely and securely whilst taking benefit of the great advances cloud solutions can bring your business, users and customers.

About the author
Ian Moyse has over 25 years of experience in the IT Sector, with nine of these specialising in security For the last 8 years he has been focused in Cloud Computing and has become a thought leader in this arena. He now holds the role of Sales Director at Cloud CRM provider Workbooks.com. He also sits on the board of Eurocloud UK and the Governance Board of the Cloud Industry Forum (CIF) and in early 2012 was appointed to the advisory board of SaaSMax and as Cloud Advisory Director to the board of Evoco. He was named by TalkinCloud as one of the global top 200 cloud channel experts in 2011 and in early 2012 Ian was the first in the UK to pass the CompTIA Cloud Essentials specialty certification exam.

If you have any questions, comments, suggestions regarding the article or if you would like to subscribe contact [email protected]