Navigating the cloud security minefield
- 05 September, 2012 12:01
Cloud could well be an IT executive’s dream come true – a chance to reduce costs and potentially free up money for other IT projects.
However, getting through the minefield of fear, uncertainty and doubt (FUD) from various quarters about cloud security can be eased by creating a contingency plan and being aware of legislation in Australia and overseas.
For Corrs Chambers Westgarth Lawyers senior associate, Johanna O’Rourke – who specialises in ICT law – having a plan in place means that security and litigation problems can be minimised before an organisation's data gets compromised or executives have to defend the company in court.
Speaking at the IDC Cloud Conference in Sydney, O’Rourke told delegates that organisations are required to retain large amounts of electronic information, which is essential for day to day operations.
In depth: Avoiding negilgence claims online
“As chief information officers move data into the cloud this means that they need to give up control of the data and this is where legal issues can occur,” she says. For example, the company could be faced with the risk of improper disclosure, reputational damage, litigation by third parties in the advent of data breaches and prosecution by regulators such as the Australian government's Office of the Information Commissioner.
“The Australian Privacy Commissioner, Timothy Pilgrim, is not afraid to investigate data breaches and make statements in relation to them,” she warns.
According to O’Rourke, the incident happened between 17 and 19 of April 2011. However, Sony did not announce the data breach had occurred until 26 April.
“While the Commissioner found there had been no breach of the Privacy Act, he did have concerns that it took Sony 10 days to notify account holders that their data had been compromised,” she says.
When it comes to regulation, O’Rourke points out that the Australian Privacy Act 1988 does not address cloud computing so it is a matter of applying existing privacy laws to the technology.
“In the cloud computing context, the Act applies to Australian companies that are collecting data in Australia and storing this data either onshore or offshore,” she says.
“It also applies to foreign companies that are conducting business in Australia that store the data here before shifting it overseas.”
However, the Act does not apply to overseas enterprises where they have not collected that data in Australia.
“The reason I have laboured this point is because many of the cloud providers will not actually be bound by the Privacy Act,” she says.
According to O’Rourke, many cloud service providers do not have an office within Australia. As a result, there are no servers, or data, located here.
However, Australian companies using the overseas cloud providers' services are still bound by the Act. As a result, extra protections need to be introduced into contracts with these providers should the company decide to transfer personal information into the cloud.
“The relevant principles which apply under the Privacy Act to cloud computing is NPP4, which talks about data security and a requirement to maintain that data,” she says.
“The other principle is NPP9, which covers transporter data flows. The reason it’s relevant is that in a cloud environment, you are unable to transfer that data unless you’ve received the consent of the person whose personal information you have or it’s been transported to a jurisdiction that has similar laws to the Privacy Act,” she says.
According to O’Rourke, the European Union privacy laws are considered to be similar but US privacy laws and Singapore laws are not recognised by the Australian Privacy Commissioner.
Turning to the Privacy Amendment Bill 2012, one major change which IT executives should take note of is in relation to cross border disclosure.
“Under the new laws the organisaiton that transfers the data will remain liable in the advent of a security breach,” she says.
This means strict liability so if the company’s cloud provider has a data breach the company executives are liable.
“You’re going to want protections in your contract to make sure that you have the ability to recover in the advent that something happens,” she says.
“That’s a worst case scenario so you want to be doing the due diligence on the provider to make sure that they are doing what they can to ensure it is a secure environment and that you don’t even get to the point of data security breaches.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Vodafone Ireland Implements World-Class Service Excellence with HP BSM
- Key Factors in Modernising Backup and Recovery
- Customer Success - Slater & Gordon Lawyers
- Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks
- Five Strategies to Help You Carve Out Costs With Open Source Solutions
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Pathways Advanced ICT Leadership Development Program Course Outline and Big 6 2013
Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals
New Demands for Real-time Threat Management
Many organisations are evaluating a new security model based upon IT risk management best practices. This is a good idea, but not enough for today’s dynamic and malevolent threat landscape. To keep up with IT changes and external threats, large organisations need to embrace two new security practices: real-time risk management for day-to-day security adjustments and real-time threat management to detect and remediate sophisticated, stealthy, and damaging security breaches (i.e., advanced persistent threats, or APTs). Learn more.
Spear-Phishing Email: Most Favored APT Attack Bait
This research paper presents findings on APT-related spear phishing from February to September 2012. We analysed APT-related spear-phishing emails collected throughout this period to understand and mitigate attacks. The information we gathered not only allowed us to obtain specific details on spear phishing but also on targeted attacks. We found, for instance, that 91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.