Does your cloud vendor protect your rights?
When an organization's data is in the cloud, requests to provide access to it for legal reasons are more complicated
Computerworld - From time to time, organizations are asked to provide access to data for legal reasons. Those requests can be more complicated when the data is in the cloud. But a new report sheds some light on one critical aspect of such requests.
One risk with cloud computing is that the customer has less control over who can access its data. When customer data is stored on and processed by the cloud vendor's data center instead of in-house, what's to stop a third party, such as the government, from going directly to the cloud vendor to obtain access to that data without the customer's permission or knowledge? And if that happens, will the cloud vendor's priority be to protect its customer's rights and data or to protect itself?
With the April 30, 2013, release of its third "Who Has Your Back?" report, the Electronic Frontier Foundation (EFF) has tried to answer these questions. The report reflects that, as with most things in the cloud, vendors vary widely on how they handle third-party requests for access to data. For the 2013 report, the EFF used six criteria to assess cloud vendors, and awarded a star for good performance in each category. The six criteria are:
Does the cloud vendor publish transparency reports? Google was the first out of the gate when it began issuing its Google Transparency Report three years ago. Since then, more cloud vendors, including Twitter, Dropbox and, most recently, Microsoft have followed suit by issuing their own transparency reports. These reports typically provide statistics regarding how often the vendor receives and fulfills government requests to provide access to customer data. In response to the changing technological and legal landscape, these reports continue to evolve. Effective March 5, 2013, Google announced that it will begin including data about National Security Letters (NSL) in its transparency report.
Does the cloud vendor notify customers? Does the vendor tell customers about government data requests, unless prohibited by law? Doing so provides customers with the opportunity to protest or defend against overreaching government demands for their data.
The caveat "unless prohibited by law" is directly connected to NSLs. Five different federal statutes enable the FBI to obtain records for foreign intelligence or international terrorism investigations via an NSL that the FBI can issue on its own authority and without court approval. The Patriot Act expanded on this to include a "gag" provision prohibiting the vendor recipient of an NSL from revealing anything about the NSL, including that it has been received. This prevents the vendor from notifying anyone, including the owner of the data requested, that such a demand has been made. NSLs have understandably been controversial.
Other columns by Thomas Trappler
- NASA's cloud audit holds value for all
- Who can pry into your cloud-based data?
- Does your cloud vendor protect your rights?
- Software licensing in the cloud
- For credit card handlers, cloud computing guidelines just got clearer
- Regulations and the cloud: HIPAA modification provides clarity
- Certification programs are making it easier to know all about a cloud vendor
- The do's and don'ts of safeguarding cloud-based data with encryption
- For a good cloud contract, start with an RFP
- It takes a team to create a good cloud contract
- Trends Shaping Software Management: 2014 Most IT executives recognize the relationship between mobile computing and worker productivity, and have long issued notebook computers and other mobile devices to...
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- REST easy: API Design, Evolution and Connection RESTful design increases API performance, reduces development effort, and minimizes operational support burden. By following a few best practices and selecting RESTful tooling,...
- DevOps meets ALM in the Cloud - Cloud DevOps PaaS To improve software delivery performance and effectiveness, teams need automation, governance, architecture best practices, and increased team collaboration. Find out more.
- ElectricAccelerator: Dramatically Faster Builds and Test ElectricAccelerator dramatically speeds up builds and test by parallelizing jobs across clusters of physical or cloud CPUs.
- Electric Cloud: Your AnthillPro Alternative Many organizations have become leery about AnthillPro since its acquisition by IBM. In this webinar, learn why ElectricCommander is an excellent alternative to... All Cloud Computing White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!