Last updated: 
1 day 8 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Whether to Cloud?

Tuesday, July 1, 2014 - 15:25

I've been asked a few times recently how to decide which data or services it's appropriate to place in the cloud. The answer, rather boringly, is the same as for almost any other security question:

  • What are the risks and threats that need to be guarded against?
  • How do the possible solutions protect against those threats?
  • Compare the solutions and work out which provides the closest match to the requirements.

When considering a move to cloud, or other types of outsourcing, you'll usually be starting from the position where the information is held on-site. Since you know what measures you already take to protect against threats, the comparison will often be a matter of determining whether those available in the alternative, outsourced, option are the same (measures such as encrypted storage and communication or keeping personal data separate from identifying information can apply to both), worse, better, or different.

Although you may initially have to do this individually for each dataset or service, you should aim to identify a small number of different categories. Then when a new dataset or service comes along you can place it in the category with the most similar risks, threats and possible solutions, and know that the best solution is likely to be the same as last time you examined that category. This is the basic idea behind information classifications: to have a small number of standard ways of handling information that users, operators and information owners can all become familiar with.

For information held in digital form on networked computers, the risks can normally be divided into four groups:

  • physical access,
  • networked access,
  • regulatory risks, and
  • confidentiality risks.

As ENISA identified several years ago both physical and electronic security measures scale very well, so a large cloud data centre should be able to provide stronger security measures for the same cost-per-machine than a smaller university one. Cloud providers are also likely to have fewer hardware and operating system variants, making automated patching more effective, and to be able to enforce stricter restrictions on physical access.

The main source of regulatory risks involves personal data. In particular, Principle 8 of the Data Protection Act 1998 imposes additional duties on anyone exporting personal data from Europe. This created significant problems for early cloud systems, but providers and regulators have adopted systems and guidance that greatly reduce the difference between on-site and cloud offerings. Many providers offer European storage as an option with standard contract clauses approved by European data protection authorities as a further protection. Since, as above, cloud storage may offer better compliance with the Act's Principle 7 requirement for appropriate technical and organisational security, the comparison of regulatory risk for particular information may now favour either on-site or cloud. The Information Commissioner's questions to ask your cloud provider may be a useful structure for comparing the risks with both cloud and in-house storage, while ENISA's list of certifications relevant to cloud providers may help with both internal risk assessment and compliance.

Some confidentiality risks, in particular those arising from access by law enforcement or other authorities and those affecting non-personal data, are not regulated by the Data Protection Act. These may need to be assessed separately. Here the most significant factor is whether the information is likely to be of particular interest or value to those authorities. In comparing different options, remember that the UK authorities have considerable powers and capability to access information on computers and networks in this country. Microsoft are currently contesting whether a search warrant issued by an American judge covers information about e-mail communications in their European data centre, but in the UK the police could have issued their own disclosure order for this information, under s.22 of the Regulation of Investigatory Powers Act 2000, with no need for prior judicial authorisation.

Finally, for some information or services, organisations may not have a free choice between different ways of providing the service. Some data sources may impose particular requirements, for example specifying particular storage locations or security controls. In other cases the organisation may prefer to know the details of its own security measures rather than rely on those provided under a standard contract by someone else. Such choices may be appropriate in some cases, but bespoke security measures are likely to be more expensive and, because they are less familiar, may be more prone to errors than standard approaches derived from a common information classification.

Comments

Andrew: Wondering if you had any comments in light of the recent judgement in the Micrsoft case: http://www.bbc.co.uk/news/technology-28601788

Among various clould services Office365 is of particular interest and the sentiment amongst the R&E community/managment is influenced by such high profile cases.

If access by law enforcement and other government agencies is a significant risk for your data then I'd suggest that the expansion of UK powers under DRIPA is actually the biggest change since I wrote that post.

As in the post, neither affects DPA compliance, so it's a question of what you assess to be the risks to the specific data/service you're considering.