The UK Information Commissioner's Office (ICO) has the ability to impose heavy fines of up to £500,000 when businesses fail to comply with the Data Protection Act.
Its new guidelines on Cloud Computing could put organisations on the spot. Are you compliant?
If you think your organisation doesn’t use the Cloud, first consider this scenario: the IT department feels in control of its technical infrastructure, but is oblivious that another department has ignored or overlooked the security policies, so they can use an external Cloud-based service for sales automation, collaboration, or data storage.
If this sounds familiar, it might be time to assess how you truly use the Cloud.
Every organisation using the Cloud - at whatever level - must heed the ICO’s advice. Worryingly though, a new survey of 300 senior IT professionals commissioned by CipherCloud found that over 40 per cent admit to being unaware of the ICO’s guidance and recommendations on Cloud computing.
Of those IT decision makers that are of aware of the ICO guidelines, less than 27 per cent admit their organisations are compliant.
The ICO clearly outlines the responsibilities for securing customer data held in the Cloud. Contrary to popular belief that the Cloud service provider hosting the data is responsible should a breach occur, it is actually the owner of the data that is accountable.
So, if you own the data you need to be sure you are in control and know how to keep private data private.
The ICO needs YOU
Many organisations continue to rely on weak terms and conditions from their Cloud service provider, and assume that they have taken full responsibility for their data’s security. This is not good enough. The ICO wants you to take the necessary steps to ensure your sensitive data is kept secure, instead of leaving the Cloud service provider to simply tick boxes and cover themselves on paper.
What you should also ask yourself is: Am I confident that our own organisation’s systems are secure? So not only should you examine the security of your Cloud service provider, you must also take the necessary steps to ensure your network is protected.
The ICO states encryption as a valuable tool for protecting the data owned by a company, even when it is hosted by a third party vendor. ‘The most secure way to use a Cloud storage service is to encrypt your files before they leave your computer’, confirms the ICO. By encrypting your private data before it reaches a Cloud provider, you will be preventing unauthorised parties from accessing sensitive information.
It will only be those responsible for the personal data that will hold a ‘key’ which can be used to access and decrypt the data.
Proper key management is therefore also highlighted as an important consideration for the data controller. Encryption keys are the electronic certificates that enable jumbled data to be decoded. But any Cloud user must know the data is worthless if the keys are lost, and is at risk of being decoded if the keys are stolen.
This means you need to retain total control of the encryption keys, otherwise you could be held responsible for losing or leaking personal data.
Furthermore, an employee of the data controller who has access to data in the Cloud must be using IT platforms that are secure.
If they access sensitive data from a malware-infected computer, their account could be compromised and the encrypted data could be stolen. It is the controller that may well be found guilty of any resulting breaches.
Don’t get caught out
These considerations, among others, have led Gartner to identify the challenges of data security, resiliency and compliance in the Cloud, and predict how companies will address them.
The research firm estimates that by 2016, 25% of enterprises will secure access to Cloud-based services and vendor platforms through a unified solution to broker security in the Cloud and enforce security policies.
Organisations will find this research reassuring and the new ICO guidelines helpful when exploring Cloud computing and the security implications it brings.
What’s important is that you gain a robust organisational understanding and assess the risks of using a Cloud service provider.
A considered Cloud strategy can yield rewards and save you money. But, be cautious and be compliant - that way, you won’t get caught out.