Cloud Services – You own it – you protect it!
Data privacy exposures happen all the time. Most go unreported. Data, either stored in the cloud or within your four walls is your responsibility. Most cloud vendors and cloud application vendors will provide some level of protecting your data, but for the most part you are on your own. Without adequate information on the security and compliance profile of the data, including its ownership, access controls, audits and classification, cloud initiatives can fall short of expectations and put sensitive data at risk. Understanding the data owners, the authorized users, and user activity is critical to garnering organizational input, which in turn, is critical to defining the security and compliance profile of the data for internal datacenter and for the cloud.
The other issue surrounds privacy/protection laws in different countries. Issues can arise such as privacy/protection laws among government, regional, and even local authorities. In some countries there are strict restrictions on whether information can be stored outside of the country. Privacy laws can differ widely depending on the country. If you have employees crossing geographical boundaries what must be done in each scenario to remain compliant with potentially widely different restrictions?
Jurisdiction matters immensely on where the data is stored, as different laws may be applicable across multiple jurisdictions. From a legal point of view, location matters. For example, if data is being stored off-shore the laws may not have any effect. Cloud vendors can store your information on a variety of servers across the world. For example, the Patriot Act in the US allows the government to subpoena all data stored within the country, the EU Data Protection Directive does not allow personal information to be transferred to any outside country, the Massachusetts Breach Law, US, specifies that citizens’ private information must be protected and has specified strict guidelines around storage, access, and transmission of personal information. A cloud environment by nature has no boundaries requiring careful thought on who might be accessing the content.
Another issue is who is to notify people of compromised personal data, the service provider or the organization? Who pays those costs? If an internal end user posts data that can be compromised, again who is responsible? It would appear that in all cases you are.