Category Archives: cloud policy

BSA releases rankings of global cloud policies – UK drops and US rises on leader board

A racehorse and jockey in a horse raceThe BSA | The Software Alliance has released its global ranking of cloud computing policies, assessing the cloud readiness and policies of the world’s 24 leading ICT economies, with the UK dropping down the leader board.

The UK dropped two places in the rankings to ninth, whereas Japan maintained its position at the top of the leader board, and the US improving its position coming in second place. The 24 countries ranked in the research account for roughly 80% of global ICT revenues. Each country is ranked depending on its strengths and weaknesses in seven policy areas; data privacy, security, cybercrime, intellectual property right, support for standards, promotion of free-trade and IT readiness & broadband deployment.

“It’s worrying to see the UK starting to fall behind other faster-moving nations in creating policies which enable cloud innovation,” said Victoria Espinel, CEO of the BSA. “It’s critical for global leading nations like the UK to be on the front-foot in creating robust policy frameworks fit for the digital age to prevent protectionism, so governments, businesses and consumers can benefit from the various benefits cloud computing offers. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

The UK scored particularly well when it came to intellectual property rights, security and IT readiness, where it ranked fourth, second and first respectively, but badly in the cybercrime valuation, coming in at number 21 out of 24. Within the other areas it hit the middle of the road, and while overall performance was not negative, the UK fell behind due to the speed and efficiency in which other nations are developing their policies.

In the cybercrime section, where the UK was particularly poor, the report highlighted while the UK was in general compatible with the Budapest Convention on Cybercrime, it has not yet implemented laws relating to misuse of devices, as required by Article 6 of the Convention. The report also stated outdated data registration laws are acting as a barrier to some cloud services, as businesses are required to register their data sets with the regulator, which seems to be an unnecessary burden.


2016 BSA Global Cloud Computing Scorecard – click to enlarge

The US performed favourably across the majority of the ranking categories, particularly on support for industry standards (first), promotion of free trade (first) and IT readiness (third). The US has been recognized by the report as a particular advocate of free trade and harmonization, as well as standardization, as it “continued to remove barriers to international information technology (IT) interoperability”.

Data privacy was the area in which it performed the worst, where it stated there are no single privacy law in the US, as well as numerous policies which have the potential to create a complicated and confusing landscape. Current key sectoral privacy laws include the Federal Trade Commission Act, the Electronic Communications Privacy Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act and the Telephone Consumer Protection Act.

The report also drew attention to the compatibility between the US with the privacy principles in the EU Data Protection Directive, of which there is little. According to the report “US organizations also have a range of voluntary options to ensure their data protection practices are compatible with the principles in the EU Directive”, though these are not backed up by government policy or legislation. This has been a point of discussion throughout the industry, following Safe Harbour being shot down, and its successor receiving criticism from certain corners of the EU.

Russsia privacy law

Russian Privacy Law – click to enlarge

While the report does outline progress in the development of IT and cloud policies throughout the world, it does also bring attention to several nations who have been demonstrating negative trends. Countries such as China and Russia have implemented policy which could be seen to inhibit the growth of cloud computing within their countries, by limiting the ability of cloud computing service providers to adequately move data across borders.

“The Scorecard shows that countries are eager to welcome cloud computing and its myriad economic benefits, and many of them are creating a favourable regulatory and legal environment,” said Espinel. “Unfortunately, the Scorecard also shows some countries are heading down a path of treating cloud computing as the next frontier of protectionism. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

Russia for example has implemented a legal requirement that data operators store the personal data of Russian citizens on servers based in Russia, as well as personal data information system (irrelevant of the simplicity of the database) must be certified by the Federal Service for Technical and Export Control (FSTEC). In turn this data can only be used on software and hardware which has also been approved by the FSTEC.

The BSA believes will have a negative impact on the company’s digital economy, stating “The local requirements are not compliant with generally accepted international standards, and Russia does not participate in the Common Criteria Recognition Agreement (CCRA).”

Giving employees the cloud they want

Business are taking the wrong approach to their cloud policies

Business are taking the wrong approach to their cloud policies

There is an old joke about the politician who is so convinced she is right when she goes against public opinion, that she states, “It’s not that we have the wrong policies, it’s that we have the wrong type of voters!” The foolishness of such an attitude is obvious and yet, when it comes to mandating business cloud usage, some companies are still trying to live by a similar motto despite large amounts of research to the contrary.

Cloud usage has grown rapidly in the UK, with adoption rates shooting up over 60% in the last four years, according to the latest figures from Vanson Bourne. This reflects the increasing digitalisation of business and society and the role cloud has in delivering that.  Yet, there is an ongoing problem with a lack of clarity and understanding around cloud policies and decision making within enterprises at all levels. This is only natural, as there is bound to be confusion when the IT department and the rest of the company have differing conceptions about what the cloud policy is and what it should be. Unfortunately, this confusion can create serious security issues, leaving IT departments stuck between a rock and a hard place.

Who is right? The answer is, unsurprisingly, both!  Increasingly non-IT decision makers and end-users are best placed to determine the value of new services to the business; but IT departments have long experience and expertise in the challenges of technology adoption and the implications for corporate data security and risk.

Cloud policy? What cloud policy?

Recent research from Trustmarque found that more than half (56 per cent) of office workers said their organisation didn’t have a cloud usage policy, while a further 28 per cent didn’t even know if one was in operation. Despite not knowing their employer’s cloud policy, nearly 1 in 2 office workers (46 per cent) said they still used cloud applications at work. Furthermore, 1 in 5 cloud users admitted to uploading sensitive company information to file sharing and personal cloud storage applications.

When employees aren’t sure how to behave in the cloud and companies don’t know what information employees are disseminating online, the question of a security breach becomes one of when, not if. Moreover, with 40 per cent of cloud users admitting to knowingly using cloud applications that haven’t been sanctioned or provided by IT, it is equally clear that employee behaviour isn’t about to change. Therefore, company policies must change instead – which often is easier said than done. On the one hand, cloud applications are helping increase productivity for many enterprises, and on the other, the behaviour of some staff is unquestionably risky. The challenge is maintaining an IT environment that supports employees’ changing working practices, but at the same time is highly secure.

By ignoring cloud policies, employees are also contributing to cloud sprawl. More than one quarter of cloud users (27 per cent), said they had downloaded cloud applications they no longer use. The sheer number and variety of cloud applications being used by employees’ means costs can quickly spiral out of control. This provides another catch-22 situation for CIOs seeking balance, as they look to keep costs down, ensure information security and empower employees to use the applications needed to work productively.

The road to bad security is paved with good intentions

The critical finding from the research is that employees know what they are doing is not sanctioned by their organisation and still engage in that behaviour. However, it’s important to recognise that this is generally not due to malicious intent, but rather because they see the potential benefits for themselves or their organisation and security restrictions mean their productivity is hampered – so employees look for a way around those barriers.

It is not in the interest of any business to constrain the impulse of employees to try and be more efficient. Instead, businesses should be looking for the best way to channel that instinct while improving security. There is a real opportunity for those businesses that can marry the desires of employees to use cloud productively, but with the appropriate security precautions in place, to get the very best out of cloud for the enterprise.

Stop restricting and start empowering

The ideal solution for companies is to move towards an integrated cloud adoption/security lifecycle that links measurement, risk/benefit assessment and policy creation, policy enforcement, education and app promotion, so that there is a positive feedback loop reinforcing both cloud adoption and good security practices.  This means an organisation will gain visibility into employees’ activity in the cloud so that they can allow their favourite applications to be used, while blocking specific risky activity. This is far more effective than a blanket ban as it doesn’t compromise the productive instincts of employees, but instead encourages good behaviour and promotes risk-aware adoption. In order for this change to be effected, IT departments need to alter their mind set and become the brokers of services such as cloud, rather than the builder of constricting systems. If organisations can empower their users by for example, providing cloud-enabled self-service, single sign-on and improved identity lifecycle management, they can simultaneously simplify adoption and reduce risk.

Ignorance of cloud policies among staff significantly raises the possibility of data loss, account hijacking and other cloud-related security threats. Yet since the motivation is, by and large, the desire to be productive rather than malicious, companies need to find a way to blend productivity and security instead of having them square off against each other. It is only through gaining visibility into cloud usage behaviour that companies can get the best of both worlds.

Written by James Butler, chief technology officer, Trustmarque