Latest Posts

Latest Comments


Clouding your judgement: the truth behind the public cloud


Posted by |

Lewisham Council has, probably without realising, demonstrated the confusion that surrounds public cloud in the public sector. When the council's ICT chief emailed peers suggesting that they should consider moving data away from Dropbox, he was responding to a recent ruling by the European Court of Justice (ECJ). It established that US firms signed up to The Safe Harbour scheme - principles that enable US companies hosting EU data to adhere to privacy laws in those territories - can no longer be automatically considered as offering adequate protection. Essentially, US organisations hosting data in the public cloud risk the US government having access under the US Patriot Act. While Safe Harbour was established to provide users with protection against the Patriot Act, it's clear from the ECJ ruling that this is not the case. It's no surprise then that public sector IT managers are unsure what the law is when they're faced with contradictory legislation and guidance.

In an attempt to clear up the confusion and point us in the right direction, the Information Commissioner's Office (ICO) has claimed that individuals' personal data face 'no new threat.' But the statement didn't do much to reassure organisations like schools that their data is safe from snoopers. According to the ICO, there's no need to migrate data from the public cloud, but that doesn't mean that the public cloud is any more secure than we first thought. All we've been told is that the risk isn't any higher than it has always been.

Don't let the Safe Harbour scheme make you naïve to risks posed by the public cloud. You could take the ECJ ruling as an opportune time to maximise the security of your cloud usage by making use of controls such as file encryption. There is software available now that can create a bubble of encrypted data within your cloud, so that it will only be in a meaningful format when your organisation accesses it. You can also look to limit mobility to prevent data moving outside of the organisation's firewall, such as at disabling USB devices. Often it's employee error that makes you the most vulnerable to risk, so educate network users about the dangers of data being leaked and how to stay protected.  

But Lewisham Council's ICT chief may have given the best advice of all. There's no better way of escaping public cloud risks than simply not using it to store sensitive data - the phrase 'KISS' (keep it simple, stupid) couldn't be anymore applicable. EU and US legislation around data protection show no sign of concurring in the near future, so security threats from services such as Dropbox are there for the long haul. Given that most public cloud services, including AWS and Google, move data around from territory to territory to take advantage of commercial and economic factors, you may well be unaware that your data is off-shore. It's unlikely that any EU regulation or reassurance from the ICO can guarantee that your public cloud data isn't accessible by third parties. It's up to you now to either strengthen security or to find a new place to host your data.



Post a comment

Comment submitted! Comments needs approval before being displayed.