Whenever I’ve suggested using a public cloud service to a European customer the very first concerns raised, or alternatively the reasons given for immediately killing the idea, are data security and regulatory compliance. Consequently I’ve made a purposeful effort to get to the bottom of the issue recently, which has included speaking with a couple of AWS solution architects on this topic while I was in San Francisco in February 2013.
So for the next little while I’d like to examine this topic, starting with the one piece of EU legislation that’s often implicitly invoked to justify not using the cloud – Directive 95/46/EC.
The Data Protection Directive
This particular bit of law and proposals to reform it have also recently been the source of much tension between the US and the EU. As EU directives get implemented as law in the member states, and for ease of reference, I’m going to refer to the British implementation of the directive – The Data Protection Act 1998 (DPA) and the accompanying guidance provided by the Information Commissioner’s Office (ICO).
The DPA breaks down into eight basic principles;
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Obviously there’s a lot there, and all of them have some impact on the design, implementation, and management of IT systems. Indeed IT systems are typically key to maintaining compliance. However when making a decision about whether or not to use public clouds I think the principles we need to think about the most are 7 and 8, so let’s focus on these.
A common anti-cloud argument I’ve heard is about security – “we can’t use public clouds, because we can’t guarantee the security of our users/customers/patients/etc. data”. There seems to me to be two assumptions underpinning this assertion;
- That a company must guarantee total security for personal data
- That public clouds will be viewed less secure than private data centres
On the first point, this simply doesn’t match up to the language of the law, which repeatedly uses the word “appropriate” in relation to security. If we look at the original text of Directive 95/46/EC, paragraph 1 of article 17 states (emphasis added);
the controller must implement appropriate technical and organizational measures to protect personal data
The law doesn’t ask for guaranteed, impenetrable security because, as and Information Security specialist will tell you, it isn’t possible!
And on the second point, that regulators may view clouds as inherently less secure than private data centres, the ICO’s specific guidance on complying with the DPA in the cloud contains a passage that seems to answer this concern. In the overview after point 4 it states (emphasis added);
Organisations that maintain and manage their own computer infrastructure may be considering a move to cloud computing to take advantage of a range of benefits that may be achieved such as increased security, reliability and resilience for a potentially lower cost.
Somehow I doubt the regulator would list “increased security” as a potential advantage of the cloud if they thought the concept was less secure…
When it comes at working out what “appropriate” means, the ICO’s guidance on principle 7 is a good resource for getting started. In general, the regulators seems to recommend that an assessment of the data being stored is carried out and that the security decisions taken are a reflection of that assessment.
Transferring to other Territories
Principle 8 is a bit trickier, however perhaps a good place to start is the European Commision’s “decisions on the adequacy of the protection of personal data in third countries” page. This page gives the current list of non-EU or EEA countries which are considered to offer a level of protection for personal data sufficient such that transferring data to them can be legal. Considering, again, that most public cloud providers are US-based, the fact the USA’s Safe Harbour program is listed there should alleviate some concerns.
And looking at AWS specifically it’s worth noting that the EU-West-1 region is in Ireland, so within the EU. As AWS also state that data is never transferred or synchronised between regions (unless you do it yourself, of course), I think there should be no issues with regards to principle 8 when it comes to using the EU region to store and process personal data.
The Patriot Act
Finally there’s one other, usually whispered, concern European companies sometimes raise about American cloud providers in particular – “The CIA will steel all my data!”
Well, firstly, it’s not just the CIA! Even the EU Data Protection Directive allows for exceptions and exemptions on such broadly worded and easily redefined grounds as “national security” and “defence” in article 13 paragraph 1;
Exemptions and restrictions
- Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:
(a) national security;
(c) public security;
(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;
(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;
(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);
(g) the protection of the data subject or of the rights and freedoms of others.
So you can rest assured that while the CIA may be sifting through your customer’s data, so are MI6, the BND, the DGSE, etc., etc.!
But let’s focus on the US authorities for a moment and look at this one from a slightly different perspective, by comparing a public cloud to a typical, traditional setup for large-ish company.
According to some recent research indicates that, under US law, US authorities can seize data from anywhere in the world, so long as the data is held by a provider who conducts “systematic business” in the US. CNET reports the researchers as stating;
“In the U.S. legal framework, there is a legal doctrine called ‘extra-territorial jurisdiction.’ This implies that cloud providers operating anywhere in the EU, or anywhere in the world for that matter, have to comply with data requests from U.S. authorities as soon as they fall under U.S. laws,” said Arnbak.
“These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It’s a widely held misconception that data actually has to be stored on servers physically located in the U.S.”
So let’s consider a hypothetical scenario. A typical larger European company wants some servers. Most likely, they won’t actually buy any hardware though. In my experience, the finance people in these sizes of company tend to want all IT costs to be “OpEx” (operation expenditure) rather than “CapEx” (capital expenditure), which means they normally end up leasing servers with support and maintenance from an IT vendor and sticking them in a data centre somewhere in the EU.
And the keyword there is “leasing” – they don’t actually own the servers, and indeed probably don’t have full admin rights on them – the IT vendor does. And these vendors are usually big global companies, such as IBM, Dell, HP, CSC, and the likes, who also operate in the US.
So, our theoretical European company’s data is probably being held on servers owned and operated by a US company, and thus can, seemingly, be legally seized by the US authorities. My overriding point here is that the fact that the data is physically held in the EU doesn’t automatically protect it from foreign search and seizure.
This is a scenario I’ve seen many times over the years and it’s one that concerns me a lot. Not because “the CIA will get my data”, but because people often, and in my opinion illogically, assume that servers are more secure if they can physically touch them.
By assuming that a level of security exists, they blind themselves to real risks (and I don’t mean just foreign governments!) and so fail to see the need for some basic security best practices, like pervasive usage of encryption.
More to Come…
I’m planning to look at some of these points in more technical detail over the coming weeks, with a particular focus on complying with principle 7 as I see this as being the area where IT folk will be most called upon during any transition to the cloud. Needless to say there’s too much ground to cover all in one hit, however I hope this and following post will be useful if, or perhaps when, you find yourself discussing security and compliance in the cloud with your company’s regulatory and security people!
So, that’s it for now, and as always, thanks for reading :)