CipherCloud's director of EMEA Richard Olver discusses how you can protect your data in the cloud.
Do you have a clear understanding of your business' responsibilities when using a cloud computing provider? If not, you could be at risk.
The UK Information Commissioner's Office (ICO) recently published guidance on compliance with the Data Protection Act of 1988 for companies that use cloud computing to store their data. It states that a business may outsource its data processing through the use of cloud computing services but, as the controller, it remains responsible for how that data is used and protected.
As a retailer, you hold masses of customer data so, if yours is stored in the cloud, the ICO can now hold you accountable if you don’t adhere to their guidelines. Human error could end up putting your business into the spotlight and burdening it with fines of up to £500,000.
How to protect your data in the cloud
Under the new guidelines, the ICO advises that encryption 'allows a cloud customer to ensure that the personal data they are responsible for can only be accessed by authorised parties'. It recommends companies assess encryption levels both for data in transit and at rest, measuring the level of encryption against the sensitivity of the data. Ask your cloud application provider if it offers this option. There are also cloud encryption gateways from third parties that can encrypt data in most cloud applications.
Encryption isn’t as simple as encoding data though. It means retaining control of the keys used to unlock the data. Lose them, and you may find yourself guilty of effectively destroying personal data, which contravenes the Act. And, if you don’t store them securely, the keys themselves could be stolen - giving a hacker full access to your data as they would be able to decrypt it.
Considerations such as encryption have led research firm Gartner to identify the challenge of data security, resiliency and compliance in the cloud, and predict that, by 2016, 25 per cent of enterprises will secure access to cloud-based services and vendor platforms through a unified solution to broker security in the cloud and enforce security policies, a step that is also advisable to all retailers.
The ICO guidance recommends that businesses take several other steps to ensure the security of their data. These include validating the cloud provider’s own security practices. You are unlikely to escape a penalty in the event of a breach if your cloud service provider simply refused to prove its security measures when the contract was signed. It is your responsibility to conduct an on-site audit, or at least request third-party verification of a cloud provider's security.
This also applies when finding out where data is stored, which is another often-overlooked question. UK retailers may think that because they are dealing with a UK cloud provider, their data is located on-shore, but that may not be the case. It may be transferred to a server based in another country. Therefore it’s important to ask your vendor where your data is being stored, and follow the ICO’s guidance.
Assess, assess, assess
Don’t think that the new amendments to the Data Protection Act in the UK will make storing your data in the cloud too much effort. Companies will find the new ICO guidance helpful when setting up or exploring their options for cloud computing services. It is imperative that you assess the risk of using cloud-based services because you, rather than the cloud service provider, are ultimately liable for loss or exposure of customer information if there is a security breach.
And after all, it is better to be safe than sorry.
Want to receive up-to-the-minute tech news straight to your inbox? Then click here to sign up for the completely free PCR Daily Digest and Newsflash email services. You can also follow PCR on Twitter and Facebook.