According to a recent report by Icomm Technologies, 70% of cloud data centers keep customers in the dark about storage locations. To me that is a pretty scary statistic particularly as organizations are rapidly deploying cloud storage services and there doesn’t seem to be any evidence that organizations that have sensitive or confidential data are refraining from doing so. This statistic should set alarm bells going especially in the EU where organizations that store citizen’s data must have evidence of where their data is stored.

Are organizations not actually doing the due diligence required to store data in the cloud because the cost benefits are far too attractive? This could be a false economy if organizations don’t do their homework in the first place. The ICO in the UK (Information Commissioners’ Office) do issue fines to organizations that breach the Data Protection Act.

The Data Protection Act specifically states that companies need to keep information secure and that data should not be transferred to countries outside the European Economic Area unless it is adequately protected.

Here are some best practices if you are going to store sensitive data in the cloud:

  • Do your homework! Make sure you know where your data is in-house (surprisingly many companies think they have an idea but are not sure)
  • Understand how you need to protect this data and what controls you need to apply
  • If you are just using the cloud as ‘storage’ then what policies apply e.g. how long do you need to keep the data?

Also Ask the Cloud Storage provider :

  • For evidence of where your data is going to be stored
  • Evidence of controls e.g. encryption that are applied to that data
  • Evidence of how these controls will meet your own GRC obligations
  • Evidence of how they will delete the data at the end of term

Cloud storage does provide a very cost effective way to store data, particularly archived data that you may need to keep for compliance reasons for a number of years but organizations must ensure they have followed all guidelines to stop the ICO knocking on their doors…

Rashmi Knowles
Author:

Rashmi is Chief Security Architect at RSA, The Security Division on EMC. In her role Rashmi is responsible for Technology and Compliance Solutions for the EMEA region. Her current responsibilities include working with customers in a Trusted Advisor role, Thought Leadership for emerging technologies and key spokesperson in the region for RSA’s Virtualisation and Cloud strategy and Compliance Solutions and a subject matter expert on Data Loss Prevention and Encryption Solutions. Rashmi has over twenty years experience in data communications, mobile communications and has focussed on Information Security for the last 15 years. Rashmi holds a degree in Computer Science from the De Montfort University and a Post Graduate in Computer Studies from the University of the South Bank, London. Subscribe to Rashmi's RSS feed