Tangled Data Protection Laws Threaten Cloud, Critics Say - InformationWeek
Government // Cloud computing
09:06 AM
Connect Directly
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Tangled Data Protection Laws Threaten Cloud, Critics Say

Technology group calls for "Geneva Convention" to address complex maze of data laws that affect growth of cloud computing and global trade.

Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/18/2013 | 10:30:31 AM
Re: Who has access to what?
The complexities are immense, and getting more so.  Reminds me of what Amazon (the retailer vs the web services provider) faces in dealing with 50 state tax laws and the finer points of having a physical presence.  In this case, it would be like trying to decide whose laws apply depending on A) who bought the product + who made the product + who shipped the product + who invoiced the product + who carried the product + which distribution centers and trucks did the product sit in during transit + who received the product, etc.

The document from ITIF mentioned here helps frame this more clearly. Check it out at:  http://www2.itif.org/2013-false-promise-data-nationalism.pdf

User Rank: Ninja
12/16/2013 | 8:37:20 PM
Who has access to what?
My main concern around data protection as it relates to foreign-hosted assets is really about what happens in the case of a security incident.  Should the government require involvement, due to a linkage to organized crime or piracy concerns, who dictates whether or not they can obtain access?  For example, due to the higher availability of cloud services in the US, should a foreign company host data and the local government deem them to be a company of interest, who in the end gets to govern how assets can be accessed?  That's going to be a key point when it comes to weighing the options of foreign hosted cloud services. 
User Rank: Apprentice
12/15/2013 | 8:50:35 AM
Re: Making Public Clouds Private
Insightful article Wyatt, thanks for your work on this.  
User Rank: Author
12/13/2013 | 6:41:05 PM
Ulf Mattsson, thanks for sharing your observations about tokenization as an approach to data privacy, and referencing the report from the Aberdeen Group, that indicated "...Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". We'll have to explore that further.

User Rank: Author
12/13/2013 | 6:36:44 PM
Re: MS' stake?
Microsoft, as you know, has a huge stake in the future of cloud adoption, as one of the world's leading cloud computing service providers, both in terms of its global infrastructure as well as its SaaS and PaaS platforms that operate in -- and carry data across - the cloud, ie. Office 360 and Azure.  I can't speak for Smith. But I think his point would likely be, greater uniformity would help enterprises move to the cloud sooner. True, that lifts the tide for all boats, including Amazon and  Google.  But a boat the size of Microsoft is clearly going to benefit.

Petar Zivovic
Petar Zivovic,
User Rank: Strategist
12/13/2013 | 2:54:19 PM
Data Storage issues
"The notion that data must be stored domestically to ensure that it remains secure and private is false". -Castro

For US companies, the NSA controversy would seem to support this assertion. However, this can be misleading as it focuses on the location aspect of the data rather than protecting accessibility of the data itself, which is the real issue here.

Whether your data is plundered by your own government, a foreign government, or a new government (say in the event of a coup), the point here really is that you can't control what governments do (directly). You can outsource your data and data functions to the cloud, but not the responsibilities. "Your" here can mean you personally or the company you work for.

Companies would need to implement their own encryption methods for data at rest in the cloud as well as data in transit when accessing that same cloud information. They should not trust the cloud provider to do this for them, as now you have the fox guarding the henhouse, so to speak. Example: One government coup, and the cloud provider may literally be forced to turn over the encryption keys at gunpoint. They can't do that if the keys are held by the owner of the data elsewhere, out of reach.

Will companies follow up with the requisite encryption? Consider: 1) the costs of acquiring and managing that technology, 2) slower response time of cloud providers serving up data as it's constantly being encrypted/decrypted on the fly [for some businesses, fractions of a second do count], 3) the likelihood, large or small, that at least one competitor will omit doing this as a "cost saving action" to gain an edge on the competition - until the first breach happens, exposing this high-risk behavior. Weigh that against the risk of a data seizure attempt occurring (hint: if the data is out in the cloud long enough, that risk approaches 100%).
Lorna Garey
Lorna Garey,
User Rank: Author
12/13/2013 | 1:15:49 PM
MS' stake?
Wyatt, Why has Microsoft dispatched Smith on this barnstorming tour? What's its big stake in establishing greater uniformity in how cloud computing companies are regulated? Yes, it will help with international contracts, but it seems of equal or greater benefit to Amazon and Google.
Ulf Mattsson
Ulf Mattsson,
User Rank: Strategist
12/13/2013 | 12:05:24 PM
How to store data outside the domestic borders and at the same time be compliant to regulations
I agree that "The notion that data must be stored domestically to ensure that it remains secure and private is false".

It is actually easy to store data outside the domestic borders and at the same time be compliant to regulations and also ensure that the data remains secure and private.

I found interesting projects that addressed the challenge to protect sensitive information about individuals in a way that will satisfy European Cross Border Data Security requirements.

One project included incoming source data from various European banking entities, and existing data within those systems, which would be  consolidated in one european country. The project achieved targeted compliance with EU Cross Border Data Security laws, Datenschutzgesetz 2000 - DSG 2000 in Austria, and Bundesdatenschutzgesetz in Germany by using a data tokenization approach, protecting the data before sending and storing it in the cloud.

This new approach to data privacy is described in a report from the Aberdeen Group. The report revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data.

The name of the study is "Tokenization Gets Traction". Aberdeen has also seen "a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data".

Ulf Mattsson, CTO Protegrity
Gerry Grealish
Gerry Grealish,
User Rank: Apprentice
12/13/2013 | 11:28:06 AM
Making Public Clouds Private
Completely agree with the complexity created by country & state specific regulations mandating that PII be stored and proccesed in defined jurisdictons.  Cloud Data Control Gateways, part of a framwork taht Gartner refers to as Cloud Access Security Brokerage services can help.  Products like PerspecSys allow organizations to keep the subseyt of regulated data local in the Datacenter, and only surrogate tokens or encrypted values leave to go to the cloud.  They own the token vault or encrypton keys.  End users are not aware the gateway is in place behind the scenes - they have full use of the cloud. 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll