Data Privacy, Security and Sovereignty – serious cloud question or storm in a teacup?

By Martin Quinn (Principal Consultant) 6 December 2013

Data sovereignty is a hot topic when talking in security circles. Many organisations who move to the cloud and use services like Amazon or Azure often overlook the issues of data sovereignty, blinded by huge cost savings and lower TCO or massive redundancy and uptime on offer.

So why is data sovereignty an issue at all?

Well, only until recent times did cloud providers Amazon offer services which were physically located within the Australian continent. The location of a cloud provider can make data accessible to non-nationals and international government agencies under their local laws. For example the Personal Data Protection Act (Singapore & Malaysia) and the German Federal Data Protection Act (FDPA) (Bundesdatenschutzgesetz, BDSG) all have caveats regarding how personal information is accessed by government agencies and businesses, and the Patriot Act (USA) contains provisions allowing the US government access to records for intelligence and terrorism investigations.

Then what of privacy concerns?

Any organisation moving their information into the cloud must have a reality check and do so with their eyes open.  With greater accountability and obligations on individuals and businesses when the (previously “toothless tiger”) Privacy Act comes into force of March next year (2014), those businesses found to be in breach, could face fines in excess of $1.3 million.

The Privacy Act and subsequent Australian Privacy Principles (APP) outline that organisations must take reasonable steps to protect the personal information of customers and individuals from misuse, modification, loss or disclosure. To avoid breaching the APP’s, businesses that utilise a cloud provider, need to know where data is transferred, processed and stored.

What about Security?

Whether moving your organisation to the cloud (or MSP for that matter), it invariably means that the business releases some or all control over its data. Because of this, businesses must take into account (and perform due diligence) of how their data is handled whilst in transit and while at rest in remote storage. Businesses must feel comfortable with the assurances that the cloud provider security provides and that contracts reflect responsibilities and penalties should these not be met. It is usually a good idea to seek an independent security audit early as well as establishing an ongoing audit regime for peace of mind. Compound this with well defined policies and procedures on how data is accessed and your business should be comfortable in closing off any security concerns.

Having taken into account these three issues, are they serious questions that need to be answered – Yes, are they just a storm in a teacup – Perhaps, but if you have any concerns or apprehension as to whether the cloud provider you have been looking to move to doesn’t tick all of these boxes then maybe they aren’t the right provider for your business.

Intact Security understands information security and the pitfalls of privacy, security and data sovereignty. We can help you develop a strategy on how to best manage this for your organisation. Call today for a no obligation consultation on 8070 0083.

Relax. Your security is Intact.

Author: Intact Security
Google

Posted on by Martin Quinn in Security Blog