Businesses require higher levels of assurance when it comes to security and data privacy in cloud services, CA Technologies has said.
The comments come from top cloud service providers like Microsoft, Google, Amazon.com, Salesforce.com and Rackspace urging a congressional committee to give data stored in cloud computing systems the same legal protections as information stored on a PC. They claimed that the lack of protections today is an important issue for enterprise customers, and is deterring some from using cloud services.
Simon Godfrey, director, Information Security, Risk and Compliance for CA Technologies told TechEye: “As part of any review and adoption plan to embrace cloud services independent research clearly show that an Enterprise requires higher levels of assurance when it comes to Security and Data Privacy.
“As a minimum they expect to see the standards of protection matching their current capabilities and in some cases moving to a cloud based service could actually enable them to reach a higher level of assurance than they currently attain from within their enterprise.”
However he said it was worth noting that standard security and assurance practices may be especially beneficial to the small to medium sized organisations that may not have the resources to do this themselves.
To give lawmakers a sense of the scale of cloud-based system usage, Google senior counsel Richard Salgado told the committee that there were 3 million business users of the company’s cloud services today, and about 3,000 more sign up for them each day. He said that all these companies face “inconsistent, confusing and uncertain” privacy laws that can be applied to data.
Salago went on to give an example of how laws can be confusing, quoting the Electronic Communications Privacy Act of 1986, which allows the government to compel a service provider to disclose the contents of an email older than 180 days “with nothing more than a subpoena”.
He said a search warrant, which unlike a supoena requires that investigators provide probable cause, is needed to turn over emails less than 180-days-old.
As a result he has come to the conclusion that communications and documents stored online should be treated “as if they were stored at home,” which would require that the government “get a search warrant before compelling a service provider to access and disclose the information” at any time.
Godfrey agrees: “It is important to note that the responsibility for the data remains with the Enterprise even if the Data resides within a cloud based service so the enterprise has to be very clear about what level of assurance they can expect and what measures the cloud provider has in place to ensure the confidentiality, availability and integrity of the data at all times.
“The ability to prove this to the enterprise is of major importance as many of the enterprises may operate within regulated industries that mandate how information should be managed and controlled.
“There are many security, process and data privacy items that need investigation and review before embracing a cloud service,” he said.
The US Senate is also looking at this issue.