Does your cloud vendor protect your rights?
When an organization's data is in the cloud, requests to provide access to it for legal reasons are more complicated
Computerworld - From time to time, organizations are asked to provide access to data for legal reasons. Those requests can be more complicated when the data is in the cloud. But a new report sheds some light on one critical aspect of such requests.
One risk with cloud computing is that the customer has less control over who can access its data. When customer data is stored on and processed by the cloud vendor's data center instead of in-house, what's to stop a third party, such as the government, from going directly to the cloud vendor to obtain access to that data without the customer's permission or knowledge? And if that happens, will the cloud vendor's priority be to protect its customer's rights and data or to protect itself?
With the April 30, 2013, release of its third "Who Has Your Back?" report, the Electronic Frontier Foundation (EFF) has tried to answer these questions. The report reflects that, as with most things in the cloud, vendors vary widely on how they handle third-party requests for access to data. For the 2013 report, the EFF used six criteria to assess cloud vendors, and awarded a star for good performance in each category. The six criteria are:
Does the cloud vendor publish transparency reports? Google was the first out of the gate when it began issuing its Google Transparency Report three years ago. Since then, more cloud vendors, including Twitter, Dropbox and, most recently, Microsoft have followed suit by issuing their own transparency reports. These reports typically provide statistics regarding how often the vendor receives and fulfills government requests to provide access to customer data. In response to the changing technological and legal landscape, these reports continue to evolve. Effective March 5, 2013, Google announced that it will begin including data about National Security Letters (NSL) in its transparency report.
Does the cloud vendor notify customers? Does the vendor tell customers about government data requests, unless prohibited by law? Doing so provides customers with the opportunity to protest or defend against overreaching government demands for their data.
The caveat "unless prohibited by law" is directly connected to NSLs. Five different federal statutes enable the FBI to obtain records for foreign intelligence or international terrorism investigations via an NSL that the FBI can issue on its own authority and without court approval. The Patriot Act expanded on this to include a "gag" provision prohibiting the vendor recipient of an NSL from revealing anything about the NSL, including that it has been received. This prevents the vendor from notifying anyone, including the owner of the data requested, that such a demand has been made. NSLs have understandably been controversial.
Other columns by Thomas Trappler
- NASA's cloud audit holds value for all
- Who can pry into your cloud-based data?
- Does your cloud vendor protect your rights?
- Software licensing in the cloud
- For credit card handlers, cloud computing guidelines just got clearer
- Regulations and the cloud: HIPAA modification provides clarity
- Certification programs are making it easier to know all about a cloud vendor
- The do's and don'ts of safeguarding cloud-based data with encryption
- For a good cloud contract, start with an RFP
- It takes a team to create a good cloud contract
- The business impact of BYOA: Five major challenges and how your enterprise can solve them This E-Book reviews five major challenges of BYOA with key subject matter experts and outlines how businesses can solve them.
- The BYOA Opportunity Visual demonstration of problems that unmonitored, employee-introduced cloud apps can cause a business, and why IT managers need a solution to help and...
- BYOA: Embracing the Opportunity, Controlling the Risk This whitepaper explores the shift from BYOD to BYOA (bring-your-own-application) and how IT departments today can address this new change in the IT...
- AppGuru Reference Guide: Conquer BYOA Challenges, Leverage BYOA Benefits As the advantages of Bring-Your-Own-Application environments become increasingly apparent, BYOA is quickly becoming a reality for organizations of all sizes. But with the...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Cloud Computing White Papers | Webcasts