As cloud computing comes of age, a confluence of events has placed real enterprise concerns around data security, data privacy and how organizations can ensure that sensitive information is protected at all times.
Considering the recent battle between Apple and the FBI, the Snowden leaks, and related concerns over Safe Harbour in Europe and the UK, organizations have real questions around working with a managed services provider, cloud data residency, and all of the potential ways privacy and security can be breached.
These data sovereignty issues were the focus of a recent ITWC webinar, sponsored by Cogeco Peer 1. Hosted by ITWC’s CIO Jim Love, the session — titled Understanding Data Privacy & Sovereignty: A UK Perspective — featured Susan Bowen, vice president and general manager of Cogeco Peer 1 EMEA, and Ross Woodham, director of legal affairs and privacy officer with Cogeco Peer 1.
Different countries and regions have different data sovereignty requirements, according to Bowen, which makes it particularly important for businesses to understand the local rules governing how data is accessed and how cloud service providers provision their respective services. New business models, heightened concerns over data protection, new global regulatory announcements and intense media and social media focus on data breaches are all creating a sense of urgency around data security and privacy, the participants noted.
Consider the UK, where the longstanding Safe Harbour data agreement was recently ruled invalid by the European Union (EU). That ruling meant the guarantee of data privacy was effectively trumped by U.S national security. In its stead stands the EU-US Privacy Shield, which aims to set clear guidelines around data protection and the limitations of data surveillance programs.
As Antony Walker, deputy CEO of techUK noted, the new data deal means that moving forward, “data protection authorities across Europe must play a constructive role in supporting this new agreement.”
In addition, the recent fight between Apple and the FBI has raised data sovereignty concerns and “there’s a high level of anxiety” around these issues, especially given the recent events in the news around data breaches and securing the cloud, Bowen said.
“The emergence of the cloud as a game-changing technology means that these physical and international borders become quite porous,” said Bowen, adding that a key challenge is around the often-confusing layer of international warrants and surveillance policies that cover business data in the cloud.
Companies are rightly concerned about whether their data is protected and if their information is secure. This poses questions between data privacy and data security — including what this means for law firms and technology companies in particular, said Bowen.
“Organizations are having to consider new business models in the way they operate,” she said.
They also need to understand how their managed service providers might react when working with governments and law enforcement agencies, which often cast very wide nets when making a request for data, said Woodham. And in many respects, when it comes to understanding security in the cloud, the horse has already bolted, she added, with many companies playing catch-up when it comes to understanding what data security and privacy best practices should be established.
When dealing with a managed services provider, organizations need to know the risks, the issues and, above all, the right questions to ask, she said.
Also, organizations should be aware of the inherent challenges of migrating sensitive business information to the cloud, Woodham noted. This includes understanding the data sovereignty challenges around the physical location where an organization’s sensitive data and documents reside.
“Treat data as an asset and understand the controls and obligations,” offered Bowen. It’s now not necessarily about the technology but about understanding the failsafes.
Woodham offered that best practices include conducting an “impact assessment” to understand the local laws and legislation around data protection. This also involves having a conversation with your cloud service provider to clearly understand the terms of your cloud agreement, how data is stored and what security controls are in place to prevent the loss of collected business information.
“Data is the lifeblood of your business; how you protect that will determine how successful you are as a company,” Woodham said.