Navigating the cloud security minefield
- 05 September, 2012 12:01
Cloud could well be an IT executive’s dream come true – a chance to reduce costs and potentially free up money for other IT projects.
However, getting through the minefield of fear, uncertainty and doubt (FUD) from various quarters about cloud security can be eased by creating a contingency plan and being aware of legislation in Australia and overseas.
For Corrs Chambers Westgarth Lawyers senior associate, Johanna O’Rourke – who specialises in ICT law – having a plan in place means that security and litigation problems can be minimised before an organisation's data gets compromised or executives have to defend the company in court.
Speaking at the IDC Cloud Conference in Sydney, O’Rourke told delegates that organisations are required to retain large amounts of electronic information, which is essential for day to day operations.
In depth: Avoiding negilgence claims online
“As chief information officers move data into the cloud this means that they need to give up control of the data and this is where legal issues can occur,” she says.
For example, the company could be faced with the risk of improper disclosure, reputational damage, litigation by third parties in the advent of data breaches and prosecution by regulators such as the Australian government's Office of the Information Commissioner.
“The Australian Privacy Commissioner, Timothy Pilgrim, is not afraid to investigate data breaches and make statements in relation to them,” she warns.
According to O’Rourke, the incident happened between 17 and 19 of April 2011. However, Sony did not announce the data breach had occurred until 26 April.
“While the Commissioner found there had been no breach of the Privacy Act, he did have concerns that it took Sony 10 days to notify account holders that their data had been compromised,” she says.
When it comes to regulation, O’Rourke points out that the Australian <i>Privacy Act 1988</i> does not address cloud computing so it is a matter of applying existing privacy laws to the technology.
“In the cloud computing context, the Act applies to Australian companies that are collecting data in Australia and storing this data either onshore or offshore,” she says.
“It also applies to foreign companies that are conducting business in Australia that store the data here before shifting it overseas.”
However, the Act does not apply to overseas enterprises where they have not collected that data in Australia.
“The reason I have laboured this point is because many of the cloud providers will not actually be bound by the Privacy Act,” she says.
According to O’Rourke, many cloud service providers do not have an office within Australia. As a result, there are no servers, or data, located here.
However, Australian companies using the overseas cloud providers' services are still bound by the Act. As a result, extra protections need to be introduced into contracts with these providers should the company decide to transfer personal information into the cloud.
“The relevant principles which apply under the Privacy Act to cloud computing is NPP4, which talks about data security and a requirement to maintain that data,” she says.
“The other principle is NPP9, which covers transporter data flows. The reason it’s relevant is that in a cloud environment, you are unable to transfer that data unless you’ve received the consent of the person whose personal information you have or it’s been transported to a jurisdiction that has similar laws to the Privacy Act,” she says.
According to O’Rourke, the European Union privacy laws are considered to be similar but US privacy laws and Singapore laws are not recognised by the Australian Privacy Commissioner.
Turning to the <i>Privacy Amendment Bill 2012</i>, one major change which IT executives should take note of is in relation to cross border disclosure.
“Under the new laws the organisaiton that transfers the data will remain liable in the advent of a security breach,” she says.
This means strict liability so if the company’s cloud provider has a data breach the company executives are liable.
“You’re going to want protections in your contract to make sure that you have the ability to recover in the advent that something happens,” she says.
“That’s a worst case scenario so you want to be doing the due diligence on the provider to make sure that they are doing what they can to ensure it is a secure environment and that you don’t even get to the point of data security breaches.”
The not-for-profit cloud experience
For Catholic Education Office Sydney chief technology officer, Milton Scott, who has approximately 70 per cent of his systems based in the cloud, due diligence was most important before committing to a contract with Google.
“We’ve had two law firms work on looking at the privacy and terms and conditions, which sit behind someone like Google,” he says.
This included duty of care issues for student information held by the Catholic Education Office. For example, health and safety information around the student or employee isn’t retained in Google Mail.
Scott adds that use of the cloud was ideal for making savings in a not-for-profit organisation.
“The sorts of [cloud] offerings we receive from Microsoft and Google are at an educational pricing that would be different to a commercial venture.”
Another cloud security innovation used by the Office is a Novell identity management system which qualifies all staff identities against a directory of employees.
“As soon as an employee leaves, their name is removed from that identity management system and applications become dead to them,” Scott says.
This article and the comments within it should not be construed as legal advice.
Follow Hamish Barwick on Twitter: @HamishBarwick Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia