Category Archives: data privacy

Close to 60 per cent of confidential cloud data can’t have risk levels assessed – research

UK IT professionals claim to be struggling with accurately assessing the risk of storing their confidential data in the cloud

UK IT professionals claim to be struggling with accurately assessing the risk of storing their confidential data in the cloud

Data from a recent Ponemon Institute survey commissioned by Informatica suggests UK enterprises are struggling to assess the risk associated with placing confidential data in the cloud, with respondents claiming they can’t determine the risk to 58 per cent of the confidential data they store in the cloud.

The problem seems particularly acute when it comes to cloud-based data specifically – enterprises said they faced the same challenge with 28 per cent of the sensitive information held on-premise.

The survey results, which include responses from 118 UK IT and IT security professionals with responsibility for data protection, hint at differences in the level of data management tool deployments for on-premise and cloud-based systems, which does seem to skew the results in terms of confidence in data risk allocation. About 46 per cent are using such tools for data on premise and 34 per cent for data in the cloud.

Still, less than half of respondents claimed to have common processes in place for discovering and classifying the sensitive or confidential data on-premise, and just a quarter said they have a process in place for data stored in the cloud.

About 54 per cent of respondents said they are not confident in their ability to proactively respond to a new threat in the cloud, and 30 per cent of the sensitive or confidential data located in the cloud is believed to be at risk according to respondents.

“The survey highlights that whilst organisations continue to fear cyberattacks, what really keeps them up at night is the unknown. Namely not knowing where data is and the associated risk to it,” said Larry Ponemon, chairman and founder, Ponemon Institute.

“Whilst businesses are more confident about having data on premise, the shift towards cloud computing is continuing to accelerate and organisations can’t afford to be held back by data security concerns. Instead, security practitioners need to get a handle on the classification of data so that they can feel more confident about the information that they are moving to the cloud. Regardless of whether information is held on premise or in the cloud, data governance protocols should be the same,” Ponemon said.

Informatica senior vice president and general manager, data integration and security Amit Walia said the results demonstrate the majority of organisations do not have a handle on their sensitive data, regardless of whether it exists on-premise or in the cloud.

He explained that as data volumes grow enterprises are leaning more on customised software and automated processes rather than manual processes to classify data risk and apply rules and policies, which is creating somewhat of a false perception when it comes to risk.

“Because businesses have less confidence in their understanding of sensitive data then they perceive more risk. To reduce threat exposure and improve breach resiliency, organisations need to invest in data centric security technologies, which enable businesses to enact the need-to-know data access policies that help limit the exposure of sensitive data,” Walia said.

EU data protection authorities rubber-stamp AWS’ data processing agreement

EU data protection authorities have rubber-stamped AWS' data protection practices

EU data protection authorities have rubber-stamped AWS’ data protection practices

The group of European Union data protection authorities, known as the Article 29 Working Party (WP29), has approved AWS’ Data Processing Agreement, which the company said would help reassure customers it applies high standard of security and privacy in handling their data, whether moved inside or out of the EU.

Amazon said its inclusion of standardised model clauses within its customer contracts, and the WP29’s signoff of its contract, should help give customers more confidence in how it treats their data.

“The security, privacy, and protection of our customer’s data is our number one priority,” said Werner Vogels, chief technology officer, Amazon.

“Providing customers a DPA that has been approved by the EU data protection authorities is another way in which we are giving them assurances that they will receive the highest levels of data protection from AWS. We have spent a lot of time building tools, like security controls and encryption, to give customers the ability to protect their infrastructure and content.”

“We will always strive to provide the highest level of data security for AWS customers in the EU and around the world,” he added.

AWS already boasts a number of highly regulated clients in the US and Europe, and has made strides to appease the security and data-sovereignty-conscious customers. The company has certified to ISO 27001, SOC 1, 2, 3 and PCI DSS Level 1, is approved to provide its services to a number of banks in Europe, and is working with the CIA to build a massive private cloud platform.

More recently AWS added another EU availability zone based in Franfkurt; it operates one in Dublin.

The rubber-stamping seems to have come as welcome news to some European members of parliament, which have for the past few years been actively working on data protection reform in the region.

“The EU has the highest data protection standards in the world and it is very important that European citizens’ data is protected,” said Antanas Guoga, Member of the European Parliament.

“I believe that the Article 29 Working Party decision to approve the data proceeding agreement put forward by Amazon Web Services is a step forward to the right direction. I am pleased to see that AWS puts an emphasis on the protection of European customer data. I hope this decision will also help to drive further innovation in the cloud computing sector across the EU,” Guoga added.

Microsoft, civil liberties renew calls for Patriot Act reform

Microsoft and close to 50 tech companies and civil liberties assocaitions have renewed calls to reform the US Patriot Act ahead of the expiry of the law's provisions governing bulk data collection

Microsoft and close to 50 tech companies and civil liberties associations have renewed calls to reform the US Patriot Act ahead of the expiry of the law’s provisions governing bulk data collection

Microsoft, along with nearly fifty other technology civil rights associations and technology firms have signed an open letter to senior members of the US government calling for reform of the Patriot Act, a cause célèbre for Microsoft among other cloud firms in recent years.

Microsoft has previously criticised the US government’s bulk data collection practices, and the ability of its authorities to act on warrants beyond US soil (particularly when such acts contradict local laws where those businesses operate).

In an open letter to very senior members of the US government including Michael Rogers, director of the NSA, senate minority leader Harry Reid, and US president Barack Obama, the organisations reaffirm the need to end the US government’s bulk data collection practices, and make government and corporate reporting on any Foreign Intelligence Surveillance Court decisions more transparent.

The US Patriot Act Section 215, which currently serves as the legal basis for the NSA’s bulk collection of metadata, is due to expire in June this year.

“We the undersigned represent a wide range of privacy and human rights advocates, technology companies, and trade associations that hold an equally wide range of positions on the issue of surveillance reform. Many of us have differing views on exactly what reforms must be included in any bill reauthorizing USA Patriot Act Section 215,” the letter reads.

“That said, our broad, diverse, and bipartisan coalition believes that the status quo is untenable and that it is urgent that Congress move forward with reform.”

“It has been nearly two years since the first news stories revealed the scope of the United States’ surveillance and bulk collection activities. Now is the time to take on meaningful legislative reforms to the nation’s surveillance programs that maintain national security while preserving privacy, transparency, and accountability.”

Microsoft is among a range of technology companies in support of reforming how American legal entities treat data, both within the context of surveillance activities or general legal proceedings. But US lawmakers have signaled they are prepared to act on longstanding promises to reform the legal landscape. Last month American lawmakers introduced two bipartisan bills that seek to limit the reach of US courts over data stored in cloud services located outside the US, a move welcomed by a broad coalition of technology and telecoms firm – including Microsoft.