This book is intended to be an introduction to the risks involved in Cloud sourcing, to enable managers to ask the right questions. Suggestions are offered for the kind of risks an organisation’s use of the Cloud might generate, and the remedial measures that might be taken. These are given as examples only and are not intended to be a substitute for qualified legal or technical advice. Other publications from ITGP, listed at the end of this book, address security in more detail.
Cloud security has to be a joint effort between the provider and the customer. The customer must select a provider with adequate security and other provisions; many of the topics discussed here will therefore be of equal interest to Cloud providers. However, the customer’s responsibilities go further. Without a well-functioning information security process in place, selection of a secure Cloud provider is only a half measure.
In order to emphasise where the responsibility for data protection compliance normally lies, the Cloud services customer is more or less interchangeably referred to in this publication as the ‘data controller’.
This pocket guide is based on EU legislation, and will therefore be of relevance to any organisation that needs to meet the EU General Data Protection Regulation’s (GDPR) requirements.
One of the most dramatic recent developments in computing has been the rapid adoption of Cloud applications. There is no sign of this diminishing with the increasing proliferation of small, mobile devices that presuppose always-on Internet connections and rely heavily on the Cloud.
The business advantages of the Cloud are clear, both for the provider and the user. The provider can move to a subscription model for occasional as well as frequent users. The user gets the flexibility of being able to access both data and applications from any location, avoids much of the burden of applying security or productivity upgrades to their software and has the option of multi-platform access to an integrated set of data.
Cloud usage is continuing to expand. The 2018 Bitglass Cloud Adoption report shows that the percentage of organisations having adopted the Cloud in some form is more than 81%; in 2014, this was only 24%. What’s more, highly confidential and business-critical data is routinely placed in the Cloud. Considering that the report also shows that, on average, only a quarter of Cloud-using organisations use single sign-on (SSO) as a basic Cloud security measure, this is worrying.
As with all technologies, the legal and practical implications are not always immediately apparent, and unexpected problems can crop up. Cloud computing is evolving much quicker than laws can, meaning that it does not always sit easily within such legislation. The EU Directive 95/46/EC – also known as the Data Protection Directive (DPD) – was agreed in 1995, making it the main reference point on data protection for 21 years. At the time it was agreed, the World Wide Web was in its infancy, but when the DPD was superseded by the GDPR in May 2018 (which was agreed in 2016) it was well out of date.
At about the same time, EU Directive 2016/1148, also known as the Directive on security of network and information systems (NIS Directive), was transposed into and enforced through member states’ national laws. Organisations within scope are required to put technical and organisational measures in place that will protect them from cyber attacks and ensure they are able to respond in the event of disruption.
Data protection obligations
Failing to adequately protect data can have serious consequences. First and foremost, of course, the individuals whose data was breached will be affected. Although the cases where serious physical harm has been directly caused through a failure to prevent data falling into the wrong hands are thankfully rare, they have nevertheless still occurred. Other types of damage, including financial, are more common – some of the more obvious ones being fines and lost turnover through reputational damage. The latter can seriously impact brand integrity and customer loyalty, fuelled by the publicity given to serious breaches, if relatively recent cases such as Equifax and Facebook are anything to go by.
The ease with which data can be moved around the web and the user’s day-to-day (in fact, second-to-second) reliance on the performance of Cloud providers make data protection compliance more challenging than it might be when data is sitting firmly under control on an in-house server. The GDPR and NIS Directive address some of these challenges but it is unlikely that they or any other legislation can remove the risks inherent in Cloud computing.
Having said that, if these risks are managed properly, they need not be showstoppers. The benefits of Cloud computing are certainly tempting. The important thing is to be fully aware of the risks and take appropriate action before deciding to put valuable, confidential data into the Cloud.
Changes introduced by the GDPR
Data protection – a much-discussed topic – has been heightened since the enforcement of the GDPR. The changes introduced by the Regulation include, for starters, the fact that it is a regulation, rather than a directive; it therefore directly applies to all organisations that handle EU residents’ personal data.
The fact that it is now a regulation is not the only big change. For one, the range of personal data covered is now much broader. Data subjects are also given much more control over their data with expanded rights; for instance, they may request a copy of any personal data held on them without charge (the right of access), and may ask for data to be transmitted to another data controller (the right to data portability). If your organisation stores any such data in the Cloud, this change may have significant implications.
However, many fundamentals of data protection have remained the same, even if the contents have been reshuffled and/or set out in more detail. Ultimately, the Regulation boils down to a small number of core principles and data subjects’ rights, which organisations must consider when implementing or using any technology, especially if those technologies operate remotely, such as in the Cloud.
The NIS Directive
Unlike regulations, directives are legal instruments that set minimum standards and parameters for EU member states to implement on a local level. Although there may be differences in each state’s implementation, a minimum standard will nonetheless be maintained. One relatively recent – and very relevant – example for Cloud providers and users is the NIS Directive.
The NIS Directive applies to two main groups: operators of essential services (OES) – in other words, critical infrastructure – and digital service providers (DSPs) – encompassing online marketplaces, online search engines and Cloud service providers.
The Directive was introduced by the EU in response to the growing number of cyber attacks on critical infrastructure. Such digital attacks can significantly impact the physical world and prevent access to services that are essential for both business and society. To give an example, in 2015 Ukraine was the victim of what is believed to be the first successful attack against a power grid, leaving 230,000 people without power for up to six hours.
DSPs, such as Cloud providers, are also covered by the NIS Directive because their services are essential for critical infrastructure organisations – as well as other businesses and individuals – to function. Additionally, because of their cross-border nature, the Directive is meant to apply to DSPs without exception or national variance, which is achieved through the European Commission’s (EC) Implementing Regulation.
This is good news for Cloud users: knowing that providers are legally required to put measures in place that ensure both the security and availability of their services is reassuring. However, organisations using the Cloud do need to consider the GDPR and how to comply with it. They also need to ensure that any technology placed in the Cloud is secure in the first place – otherwise, securing the Cloud would only be a half measure.
This is an extract from Data Protection and the Cloud – Are you really managing the risks?
©IT Governance Publishing Ltd
Your essential guide to understanding the risks associated with the Cloud
More than 81% of organisations have adopted the Cloud in some form, according to the 2018 Bitglass Cloud Adoption Report. However, moving data to the Cloud does not solve security problems – it adds another risk that needs addressing.
This pocket guide discusses the GDPR requirements relating to Cloud sourcing and the risks attached. With a view to helping managers ask the right questions, the book aims to help you learn how to meet your data protection obligations when using Cloud services.
 Bitglass, “Cloud Adoption 2018 War”, https://pages.bitglass.com/FY18BR-CloudAdoption_LP.html.
 Rebecca Hill, “Exposing 145m Equifax customer deets: $240m. Legal fees: $28.9m. Insurance: Priceless”, The Register, April 2018,
 Olivia Solon and Oliver Laughland, “Cambridge Analytica closing after Facebook data harvesting scandal”, The Guardian, May 2018,
 Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, March 2016, www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.