Cloud Computing and the Data Protection Act.

Data Protection Act 1998

One of the common arguments I hear against cloud based computing is around compliance and the Data Protection Act (DPA) 1998. In this post I want to look at the DPA and see how it actually affects the use of “The Cloud” for organisations based here in the United Kingdom.

Before i begin, this article is being written by a IT person, not a lawyer. It in no way constitutes legal advice!

The Data Protection Act 1998, describes the legal obligations all organisations in the U.K. have in terms of handling data. The act covers such areas as data collection, data storage and data sharing. The act itself is “policed” by the Information Commisioners Office (ICO). The act covers both electronic AND paper data storage. Basically of you collect data on people, you need to obey the act. You will need to register with the ICO and follow their guidance.

In the most simple of terms, the act is “supposed” to ensure that all data in the UK is stored securely, never shared inappropriately, and kept only as long as required. The act effectiveness in this area is questionable, with a large selection of public failing (without serious consequences) being catalogued ( ORG Website ).

The failings as I see them relate mainly to the secure storage of data and the sharing of that data. Why the software (and hardware) in these large public bodies has not been built to prevent the ability to transfer data insecurely is beyond me… but I digress.

In regard to Cloud Computing, the areas that relate directly to the DPA and that I want to examine in this post are:

• Secure storage of data
• Transferring Data outside of the U.K. “without adequate protection”

I shall be exploring this in the context of storage. Specifically in terms of using “the cloud” to store your organisations data.

Secure storage of data

So, this means is the data being adequately secured. Now in a paper world, this would mean that you kept the personal information in a fireproof safe, which only a small number of people knew the combination. The receptionist counld not walk in and read a file. In an electronic world the bare minimum would be storing it on a disk, that is backed up appropriately and secured so only a small number of people can access the data. The receptionist should not be able to type a name into the CRM database and read someones information.

In an electronic world, the data should also be securely encrypted. That way, if a server is lost/stolen, nobody will be able to put the disk in another machine and copy the data off. Nor should Joe the junior IT guy be able to copy data off the server and put it on a CD. Or perhaps more accurately, even if Joe the IT guy copies the database onto a CD it is useless as it has been encrypted properly, both on the disk and inside the database potentially.

In the cloud the same applies. You should be storing your files in a securely encrypted format. The data should be encrypted BEFORE it is sent across the WAN to the cloud. This encrypted data is then stored on a secure host in the cloud, that has adequate backups etc.

If I look at my laptop before me, I keep all the data on the disk encrypted. So not even taking the disk out of my laptop and looking at the disk on another machine will allow you to open my files. I backup my data onto “the cloud”, I do this via a 256-bit AES encryption mechanism. Each file is encrypted and then sent to my data storage on “the cloud”. It does not matter if someone is “sniffing” my traffic, the data is encrypted prior to transmission.

The data centre my data resides in on the cloud, is secure, more so than my house or office I suspect. It has redundant power, air con, fire protection, swipe card access, etc. Even if someone got in there and stole some servers, the chances are that my data is split across multiple servers. So the risk of someone gettingf my specific files is smaller than if they broke into my office. The data is also stored, you will remember, encrypted, so even if they get their hands on my data, they won’t be able to read it.

Compare and contrast this to the all too common backup tape, where data is stored unencrypted on tapes, often in a relatively low security offsite location, like a warehouse or staff members home! If some gets hold of that tape, they just need to put it in a tape drive and they are 90% of the way there to getting access to your data!

So in the storage area, I genuinely believe that “The Cloud” meets your DPA obligations.

[UPDATE: 28 November 2008] George Reese over at O’Reilly has just published a quick guide to securing Amazon’s AWS cloud services. If his “20 Rules”are used as a guide you should be able to build robust Cloud applications. The article is at http://broadcast.oreilly.com/2008/11/20-rules-for-amazon-cloud-security.html

Transferring Data outside of the U.K. “without adequate protection”

Okay… I am going to approach this from the angle of storing your data overseas as opposed to transferring/giving your data to a third party. I.e. selling the data to someone else overseas.

Much like a lot to the DPA, and all legal documents, what they are saying is difficult to understand and perhaps is intentionally vague. My interpretation here is that if you are transferring data outside the UK, you need to ensure that it is secure.

But what about storing you data on “the cloud”, where the disks the data resides on are in Europe or the USA?

This is a more difficult topic, but I again think that the encrypted file storage possible with cloud based storage meets the obligations set out in the act. Although the data has been “transferred” outside the UK, it has been done so with some serious (more than adequate) protection. Of course if you simply copied the raw files onto the cloud, then NO, you do not pass go and do not collect $500.

To return to my laptop example, the data i am transferring out of the U.K. is encrypted on my laptop before transmission. Even if a server techie in the USA gained access to a file, they can’t open my data. So I consider it protected. As only I have the pass phrase for my encrypted files, only I have access, so the data should be safe.

So I believe that the cloud meets the DPA obligations for data transferring outside the UK.

Those of you who are giving this some thought have no doubt spotted some holes in my arguments, what if the data is not encrypted first is the first question I’d raise. In that case, all bets are off and I do not believe that the cloud meets the DPA requirements.

It comes down to implementation (as with all data security, be it paper based or electronic).

This is why I think that people like me have jobs. It is my role to advise organisations as to how issues like this affect their organisations implementation of technology. A tape vendor can easily say the cloud for backup is all bad. It;s slow (it is), it’s insecure (it can be), it does not meet the DPA/SOX/HIPAA (it might not). But equally, as has been shown by the almost weekly reports of data loss in the media; neither is tape, or disk, or memory stick, or paper!

WAFS for remote offices…

As I wrote this post, I started using the example of opening an overseas office, and getting the data people need over there. It’s an example I have practical experience with. I didn’t use it above, but it does raise some interesting DPA issues.

Lets say you are opening an office in Mumbai/Warsaw/Paris/wherever. How do you get data to and from the new office? Do you take a copy of your UK data and fly it over with Joe the IT guy and get him to copy it onto a new server over there? If so, I suspect you have just broken the DPA. You have transferred data outside the UK with virtually no protection at all.

If Joe takes the data on a external hard disk or tape, is it encrypted?

Even if it is, the moment you put it on a server outside the UK, you may be losing control (and security) of that data. The cloud, may offer a way around this. Store all the data on a cloud based network drive that is shared between the two offices perhaps? The other solution (that I know has been implemente by numerous UK organisations) is to share the data from London to the other site across a WAN connection.

The data resides on a server in the UK, so in part it has not been transferred and is being stored securely.  A great solution for this is WAFS or Wide Area File Services, let me know if you want to talk about it. Again the opposite argument is tha the data is available outside the UK in any way your control (and security) is compromised. It’s very hard to prevent people making a local copy of a piece of data they have remote access to; be that via the cloud or WAFS.