Skip to main content

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws.

The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members include Google, Microsoft and many other global businesses. They provide education on the uses of cloud computing to work towards securing all other forms of computing. Through STAR, cloud providers are able to submit "self assessment reports" which document their compliance with "best practices" as stated by CSA. This searchable registry opens the gates for customers to review providers security practices, so lead hopefully to the improvement of organisations’ their quality of security. The platform is free for both submission and reviewing of entries.

The CSA said that they were driven to launch STAR as they believe voluntary self regulation is needed during the early days of cloud computing, in place of, "heavy handed governmental regulation." They state they support transparency and competition between cloud providers, with security as a market differentiator. 

In December last year the first cloud providers, including Microsoft, submitted their reports through STAR. More recently, Amazon published details of the steps they take to ensure the security of user’s information, which is stored in ‘Amazon Web Services’.  Amazon also stated that their provider, "engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS."

However, the information available from cloud providers or other external certifications is not sufficient to ensure organisations’ own compliance with UK data protection laws. Organisations storing personal data through cloud are still responsible for the safety of the data they store. Such organisations have been told by the EU privacy watchdog, the Article 29 Working Party, that they must “guarantee” compliance with EU data protection laws. 

A spokesperson for the ICO made clear that while the overseas transfer of personal data is not prohibited by the Data Protection Act, it is necessary that this information is adequately protected no matter where, or by who, it is being processed. EU data protection law also requires that when sending personal data, through cloud, outside of the European Economic Area (EEA), organisations must ensure that there are sufficient data protection safeguards in place, prior to processing. As an exception to this, countries whose data protection has been pre-approved by the European Commission as being adequate, do not require checking by the organisation itself. 

In order that companies are able to meet their own data protection requirements relating to cloud services, The Working Party provides specific guidance. They provide advice on safeguarding contracts between ‘data controllers’ and cloud providers so as to work towards eliminating the risk of non-compliance with data protection law. Such contracts are encouraged to include details of how cloud providers would keep data secure, by what means access to the private information would be restricted and enable the controller to monitor the providers’ data protection compliance. 

Concerns had been raised relating to the risk of new vectors, created by a public registry, as targets for exploitation by hackers. The CSA reassured that such risks were not a matter of concern. The documents submitted by cloud providers are designed so that security practices can be clearly documented without exposing sensitive information. This is done through the use of a Consensus Assessments Initiative Questionnaire (CAIQ). 

As for the future, the CSA believe that for the meantime STAR will continue as a simple registry for providers. However, they expect the major developments to eventually arise from third party solution providers extending and automating CSA STAR by integrating their GRC Stack directly into their products and services. The GRC Stack refers to the CSA’s toolkit for enterprises, cloud providers, security solution providers and others to instrument and asses clouds against established best practices, standards and critical compliance requirements. 


Brian can be contacted at Stone King, Solicitors.  For further news and information on legal topics of interest, please visit Brian's other blogs:



Comments

Popular posts from this blog

Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“ GDPR ”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation. Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities. Other  key changes  to be aware of include: Wider scope of application  – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”. Higher penalties  – the GDPR introduces tougher sanctions, including administrative fines for non-com

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when

Ten Questions to Ask Your Cloud Provider

The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs. But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security . By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws. Before you embark upon acquiring a business which uses cloud computing o