Privacy and security in the cloud are not the same thing

'Companies claim they have world-class security and therefore privacy, but you can have world-class security and have no privacy whatsoever'

The new European data protection regulations mean that customers of cloud companies, and the cloud firms themselves, must increasingly focus on privacy as well as security. Traditionally, cloud firms have tended to treat them as one and the same, preferring to concentrate on security as that's easier for them to control.

"It's ISO 27001, it's PCI DSS, it's physical security, the protection of your perimeter, software lifecycle management, it's identity and access management, operations, availability," said Dob Todorov security specialist at Amazon Web Services (AWS), going on to mention that AWS features around 2,000 controls that allow customers to configure the service to their requirements.

"It's making sure that customers are not as weak as their weakest link," he added.

It is undoubtedly true that global cloud companies like Amazon, which are able to invest massively in data defences, are more secure than most organisations' data centres, which are prone to floods, power cuts, hardware failures, patching glitches, DDoS attacks - and workmen drilling through cables in the road. But privacy is a trickier beast because different standards exist in different jurisdictions.

The EU General Data Protection Regulation (GDPR), which will become law in 2018, unifies data protection legislation across the whole of the EU for the first time. It is also significantly tougher than what went before. While AWS is compliant with the data privacy standard ISO 27018, Shiela Fitzpatrick (pictured), worldwide data governance counsel and chief privacy officer at storage firm NetApp, believes that Amazon and most other cloud providers will have to make some changes if they are to comply.

"They can't necessarily say exactly where that data is. Yes, you can pick a date centre, but where is it replicated and what third parties are used to provide support services? It's not that they can't address it, they can, but they have a lot of work to do," she said.

"Privacy and security interlock but they're not the same thing," added Fitzpatrick, who also sits on the data protection advisory committee at the EU.

"Companies can claim they have world-class security and therefore you have privacy, but you can have world-class security and have no privacy whatsoever."

She used the analogy of a wheel: "Privacy is the wheel and security is one spoke of it. A very important spoke but only one fifth of that wheel."

Whereas previously cloud providers could argue that privacy is the duty of the customer rather than the provider that will change with the new regulation.

"Cloud providers are going to be impacted because they can't pass the buck, they can't say 'well you decide what's going to be in your cloud environment, you control security you control everything'," Fitzpatrick said. "Cloud providers are going to have joint accountability for any data that is in their environment."

But this doesn't let customers off the hook.

"Companies need to ask their cloud providers how they comply with privacy laws. They need to do a privacy assessment not just a security impact assessment. That something companies don't do and that's not the cloud provider's responsibility, it's the customer's responsibility to ask those questions.

"What third parties do you use to support your cloud environment? Do they manage their own data centre or do they outsource it? Where does the data flow through before it even gets to the data centre? Which jurisdictions are affected?"

She continued: "How do you get your data back when there is no longer a business relationship? What happens if there is a subpoena or e-discovery and the cloud provider gets a subpoena? How do they notify their customers? Will they turn their data over? These are questions beyond traditional security. Customers have to do their privacy impact due diligence."

Much of this will fall to the new data protection officer role mandated by the GDPR. Fitzpatrick said that while it may sound onerous it need not be, so long as companies are transparent about how they use data, but she warned that they need to act sooner rather than later.

"It is time-consuming and you do need to understand data privacy and not just security, but it's not that complicated," she said.

Computing's Enterprise Security & Risk Management Summit 2016 will be on 24 November 2016 in central London. It is free to attend for qualified end users.

The Cloud & Infrastructure Summit from Computing's sister title, V3, will be held from April 20-21 online.