By Gerry Grealish
We all know that adopting the Cloud comes with some risks – security, reliability and scalability have, to-date, been the most popular complaints. But now, we can add a new one to the mix: litigation. Case in point, companies doing business in Australia, known for its strict privacy laws, have been warned that the risk for litigation should be factored into their due diligence when selecting a cloud vendor.
The Acting Victorian Privacy Commissioner recently spoke at the 2012 Evolve Cloud Security Conference in Australia that focused on privacy concerns related to widespread cloud adoption. In his speech, he advised cloud users to scrutinize service provider security policies thoroughly before jumping into an arrangement based primarily on cost savings and scalability. Why? Because, in Australia, as well as other regulated jurisdictions, cases of information misuse will be investigated and prosecuted.
And more often than not, the cloud user will be the target of the litigation. As highlighted in the Cloud Computing Information Sheet, if a business can’t answer basic questions about where its data is located, who owns and controls the service provider organization, and what happens to data when contracts terminate, the business is directly at risk.
Preserving functionality in particular can prove a challenge when it comes to cloud data security. A cloud service provider may in fact offer the ability to encrypt data to sufficiently meet privacy laws, but it does so at the risk of complicating data access and SaaS application usability. In that case, a secure cloud application may not seem like it’s worth the hassle to a company, and they may opt for an on-premise solution alternative.
It is important to carefully investigate statements made by cloud providers about legal compliance or other security credentials. Especially with international vendors, they may not know the details of the regulations that an individual enterprise needs to adhere to, let alone those of a specific geographic region, or the specific policies of an industry group. Should data become compromised, they are not liable in most cases.
Striking fear in the hearts of enterprises seeking to exploit technological innovation may prevent some data mishandling. But it doesn’t help address the long-term issue of how companies can successfully and legally implement the cloud into their IT strategies. Cloud advantages have simply become too valuable to ignore. If companies want to stay competitive, they must find ways to meet the privacy and residency restrictions enforced in countries like Australia, Switzerland, China and others while making the move to the cloud.
The Privacy Commission also warned against “haphazard” approaches to “de-identify” personally identifiable information (PII). Permanently removing the personally identifiable information is not a valid option because this often destroys the data’s intrinsic business value. Industry approved approaches, such as encryption using strong algorithms (i.e., FIPS 140-2 validated) or tokenization, which replaces PII with randomly generated tokens with no relation to the original information, are methods that should be explored.
Tokenization, in particular, should be looked at very carefully as it helps to solve data control, access, and location issues because the data controllers themselves maintain the system and the original data. With tokenization, all sensitive information can be kept in-house – what travels to the cloud are random tokens vs. actual data – making information undecipherable should it be improperly accessed. So, companies can adopt cloud applications (public or private) with added assurance about their position relative to data residency, privacy and compliance. And employees accessing the protected cloud data can enjoy application functionality and the same user experience, such as searching and sorting, on encrypted or tokenized data, with the standard cloud SaaS application – all while staying within the legal lines.
Bottom line: Data control is becoming a key legal requirement in many countries and jurisdictions – and it is one that will clearly be enforced. Are you and your organization covered, or do you need to prepare for a legal battle in the Cloud?
Gerry Grealish leads the Marketing & Product organizations at PerspecSys Inc., a leading provider of cloud data security and SaaS security solutions that remove the technical, legal and financial risks of placing sensitive company data in the cloud