The eighth principle of data protection (from the Data Protection Act, the UK’s implementation of Directive 95/46/EC) states that:
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The United States leads the way when it comes to cloud computing. Using it means that it is possible (likely) your data will leave the EEA.
The US differs in its approach to data protection, preferring a lighter touch. They do not ensure an “adequate level” of protection from the EU’s perspective.
As the Directive affects most in the EU, steps needed to be taken to allow trade to continue. The US Department of Commerce in consultation with the European Commission established the Safe Harbor scheme. Under this scheme US firms can voluntarily comply with the stricter EU data protection rules.
Google, Amazon, RackSpace, Microsoft and Red Hat have all signed up.
So does that mean you can use the cloud and not worry about data protection any more? Nope.
Not all providers are equal and you should look at their security certification and compliance information. Most of the top tier will have similar accreditations but there are a lot of others who do not. For example, Amazon have completed multiple SAS 70 Type II audits, achieved ISO 27001, validated as a PCI DSS level 1 provider, etc.
Ultimately though it is not the provider who is responsible for your data, you are. Encrypting sensitive data is probably the most important thing you can do. How you go about this will be specific to your situation but my three general guidelines are:
- Favour encrypting data at the application/database level before disk level encryption. Physical theft or loss is less of a risk than a configuration or software bug being exploited.
- Implement good audit controls so you can determine what changed, when and by who.
- Always use SSL/TLS when dealing with commercial/personal data.
All of the provider’s safeguards will count for nothing if you do not secure your applications and data properly. But if you do implement good data protection measures then the cloud can offer considerable improvements in your overall security posture.
For more information on international data transfers here is the guidance from the ICO.