2013 was a year in which a relatively techno-centric little subject called “cloud data security” took over headlines from Beijing to Baltimore. The Edward Snowden leaks, which continue to trickle out, revealed not only serious concerns about the veracity of cloud data security, but how lax the measures for ensuring it actually were among CSPs (cloud service providers). As http:// morphed into https: // (the “s” stands for secure) to give consumers (and businesses) an added degree of confidence in e-commerce transactions, consumer demands for greater cloud data security are bringing to the fore the need for CSPs to step up and meet those demands. Those demands also signal a need for cloud data consumers to take firmly the reigns of protecting their own data in the cloud, which they can do by owning and managing their own encryption keys.
How will data protection and cloud computing develop in 2014?
In a recent article in the UK Guardian discussing the trends and predictions for cloud data in the coming year, the author presented some interesting facts and a few pointed questions for the sector. The Data Protection Act 1998 (an act of British Parliament) codifies provisions to ensure the privacy and rights of individuals and that their personal data is not processed without their knowledge, and/or is processed with their consent “wherever possible”. Many of the provisions relate to the nature of data collected (in both manual and electronic formats), how that data is used, and how long it is stored and when and the manner in which it is disposed of.
Greater Regulation of Cloud Data could be on the Horizon
The 1998 act, an expansion of a similarly named act inaugurated in 1984, may be due for an upgrade, in lieu of recent events in cloud data security. Cloud consumers are becoming increasingly perceptive and inquisitive about the diligence being done on behalf of their CSP-entrusted data – and many are calling for more strident regulations for what seems to be an industry rife with “gray areas”.
In the U.S., the epicenter of the shocks from the Snowden leaks, the NSA and CIA’s party lines aside, the Obama administration has met with tech titans from Google, Yahoo, Twitter and others, to discuss their concerns about credibility with their cloud consumers, in lieu of recent disclosures of the NSA successfully hacking right through their backdoors. Prior to this, in 2012 the Obama administration pushed for overhauling of the Consumer Privacy Bill of Rights and the cloud industry is looking for assurances from the U.S. government that the rights of cloud consumers are given greater protection.
This act has a similar intent to the UK act, in that it is intended to provide individuals greater confidence that their personal data is accurate, will be held securely, and only used for its intended purposes at the time of (authorized) collection. This act was initiated, in large part, to protect businesses and consumers against credit fraud and identity theft.
Cloud security concerns in the EU have led to calls for a separate cloud managed by and within the EU. EU legislators have stepped up in response to the concerns of their constituents and are rushing to put together regulations for cloud security. The result is The European Cloud Partnership (ECP), which is tasked with establishing a “digital agenda” to create homogenous national laws among member states. Such laws could potentially codify the location of data, who owns digital content, and establish equitable and transparent rules for accessing data.
Fluidity in the Cloud
Insiders predict that data portability will become more fluid by the creation of standard industry contracts for cloud services, making it easier for cloud consumers to change service providers.
Lastly, one of the outcomes of the ECP initiative will be CSP certification. This approach harks back to the “s” in https:// mentioned earlier, which greatly enhanced consumer confidence in the security of e-commerce sites. Similarly, by establishing certification of CSPs, cloud consumers will have a valuable means for determining which CSP they will choose as their provider.