Category Archives: data protection

Azure, Citrix, data protection, Enterprise IT, enterprise mobility, Microsoft, News & Analysis

Citrix and Microsoft team up to tackle enterprise mobility

Silhouette Businessman Holding PuzzleCitrix has expanded its partnership with Microsoft as the team aim to capitalize on flexible working and enterprise mobility trends.

Speaking at Citrix Synergy in Las Vegas, CEO Kirill Tatarinov outlined objectives to meet the needs of the modern workforce with application and desktop virtualisation in the cloud, network delivery and enterprise mobility management. Citrix has selected Azure as the preferred and strategic cloud for its future roadmap and the team will work to develop new integrations between Citrix XenMobile, NetScaler and the Microsoft Enterprise Mobility Suite, to improve efficiency and data security.

“Companies of all sizes across all industries around the world have an amazing opportunity to embrace digital transformation and empower their people to work productively from anywhere at any time,” said Kirill Tatarinov, CEO of Citrix. “Our customers are asking Citrix and Microsoft to work closer together to help them fully leverage innovations like Windows 10, Office 365 and Azure. This enhanced partnership ensures we can be more agile in responding to our customers’ needs and help them accelerate the move to digital business.”

As part of the partnership, the team will aim to accelerate the deployment of Windows 10 Enterprise within their customer’s organisations. Citrix customers can use AppDNA to aid migration to Windows10 by providing application lifecycle management tools to discover and resolve application compatibility issues, the team claims.

Note: There is a poll embedded within this post, please visit the site to participate in this post’s poll.

Citrix NetScaler will integrate with EMS to provide virtual private network capabilities for more secure, identity-based access to on-premises applications on Microsoft Intune-managed devices. Citrix will also offer customers who have purchased Windows Software Assurance on a per-user basis the option to host their Windows 10 Enterprise Current Branch for Business images on Azure through its XenDesktop VDI solution, which the team claim is a first in the industry.

“Our relationship with Citrix has always been founded on the commitment to making our mutual customers successful by empowering their people to be more productive,” said Scott Guthrie, EVP of Cloud and Enterprise at Microsoft. “By selecting Azure as its preferred and strategic cloud, Citrix is helping companies mobilise their workforces to succeed in today’s highly competitive, disruptive and global business environment.”

data protection, Enterprise IT, enterprise mobility, IDC, News & Analysis

Employees not taking advantage of mobility initiatives – survey

Digital Device Tablet Laptop Connection Networking Technology ConceptDespite mobility being one of the top priorities for organizations throughout the world, research from IDC has shown only 13% of those who are given the option actually work from home.

Enterprise mobility has proved to be one of the more prominent trends emerging out of the evolution to cloud-based platforms, as employees aim to create a working environment which encourages innovation and creativity however the study shows the generosity is not being taken advantage of. One statistic which could be seen as an obstacle to adoption is two in five line managers admit they do not want their employees to work from home.

Numerous organizations have highlighted mobility strategies as a priority for coming months, as organizations aim to utilize the power and freedom of cloud based applications to increase the productivity of employees. Findings from 451 Research claims 40% of enterprise organizations are prioritizing mobilization of general business apps over the next two years, as opposed to focusing solely on field services and sales teams. The trends towards mobility are also confirmed when assessing the M&A market. In the mobile device management and mobile middleware segment, 28% of the total deals (21 of 74) and 77% of their total value ($3bn of $3.9bn) over the past decade have occurred over the past two years alone.

Although other research has suggested organizations are shifting to a mobility mind-set, IDC’s study has outlined the drive towards is still in the early adopter stages, despite numerous organizations claiming its importance. The leadership team were particularly critical of considering working from home to be acceptable, as only 43% of employees are confident leadership is fully behind mobility as a concept. Of those who do have the opportunity to work from home, only 14% spend more than half their time outside the office.

From a leadership perspective, new EU regulations regarding the protection, residence and transition of data could have an impact on their attitudes towards mobility, as penalties for non-compliance will be to the tune of €20 million or 4% of the organization’s annual turnover, whichever is greater.

While vendors are striving to improve the efficiency of mobility solutions, as well as championing efforts to make the technologies on the whole more secure, unless the adoption of the mobility culture is increased from the end-user side, there are unlikely to be any changes in the near future. If the statistics remain true, mobility initiatives will not achieve the required ROI, which could have a negative long-term impact on the investments made into the mobility segment on the whole.

data protection, Data Regulation, News & Analysis, NTT Data, Policy and Regulation

NTT Data partners with Privitar to make customers GDPR compliant

Lady JusticeNTT Data UK has announced a partnership agreement with Privitar to provide data protection solutions built on new requirements set out by the EU General Data Protection Regulation.

The GDPR requires companies to process and use the personal data of any European customers in a justifiable and ethical manner, whilst also giving increased control of the data back to the customers themselves. As the role of data increases within the business world customers have become increasingly interested in how their personal information is stored and used. Insight delivered from this data can be used to drive additional revenues for a business, though once GDPR comes into legislation in 2018, there will be strict guidance on how the data is used.

NTT Data believe this dynamic will create complications for various organizations, and claim combining the NTT Data’s data and process capabilities, with Privitar’s privacy software, will create a proposition which will comply to all GDPR data requirements.

“By combining NTT DATA’s sector-specific domain knowledge with Privitar’s software we can now deliver programmes that make our clients champions of both privacy and innovation,” said Steve Mitchener, CEO of NTT Data UK. “I’m excited that this partnership will allow our clients to fully utilise their data assets without fear of reputational and financial damage, or regulatory action.”

data protection, Data Regulation, data residency, European Commission, News & Analysis, Policy and Regulation

Let the countdown to GDPR begin

Location Germany. Red pin on the map.The road to data protection has been a long and confusing one. Despite being one of the biggest concerns of consumers and corporates throughout the world, progress has hardly been moving at breakneck speed, but as of today (May 25th), companies now have exactly two years to ensure they are compliant with the EU’s General Data Protection Regulation.

The general objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Data protection is a complicated business throughout the EU mainly due slight differences from country to country, and then again, with overarching EU regulations, or directives which haven’t even made it to regulation.

Conversations surrounding the new regulations have been ongoing since 2012, though companies now have until 25th May 2018 to ensure they are fully compliant. For this would seem an adequate amount of time, however a recent YouGov and Netskope survey highlighted only one in five are confident they will be compliant in this time period. For Eduard Meelhuysen, VP at Netskope, decision makers need to take a step back to get a better understanding of the current state of their data, before concentrating on any company app.

“If they are to comply, IT teams will need to make the most of the two-year grace period which means that both cloud-consuming organisations and cloud vendors will need to take active measures now,” said Meelhuysen. “As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation.

“The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.”

a safe place to work“As cloud app use continues to increase within businesses, data will become harder to track and control. But with the GDPR instigating a maximum possible fine of €20 million or 4% of global turnover (whichever is higher) in certain cases, there is now more incentive than ever for companies to focus on data protection. Getting a handle on cloud app use will be a crucial part of ensuring compliance for any organisation, and IT teams will need to start work now to meet the May 2018 compliance deadline.”

One area which has been given attention within the GDPR is that of data residency. New regulations will require organizations do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. The list of countries that meet these standards is short, 11, with a notable absentee, the United States of America, which could pose problems for numerous organizations.

While this may be considered one of the headline areas for the GDPR and one which will likely be heavily scrutinized, for Dave Allen, General Counsel at Dyn, concentrating too much on this area could lull companies into a false sense of security.

“As the EU GDPR comes into effect, businesses will need to take a hard look at their current methods of sharing and storing data,” said Allen. “While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.

“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.

“Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.”

Anonymous unrecognizable man with digital tablet computerOverall, the GDPR will ensure companies take a greater level of responsibility to safeguard the personal data they hold from attacks. Recent months have seen a number of highly publicised attacks significantly impact the reputation of well-known and respected brands, making consumers nervous about which of their personal information is being held. Previously, attacks on such organizations would not have been thought possible; surely they have the budgets to ensure these breaches wouldn’t happen?

Another headline proposition from the GDPR is the consumer’s right to access data which is stored on them, and also the right to have this data ‘forgotten’. For Jon Geater, CTO at Thales e-Security, this will create numerous challenges and changes to the way in which data is stored and accessed.

“The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility,” said Geater. “If organisations use a third party provider to store and manage data – such as a cloud provider, for example – they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

“In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’.

“This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.”

What is clear is there will be complications. This shouldn’t be considered a massive surprise as any new regulations are fraught with complications on how to remain or become compliant, but the European Commission isn’t messing around this time. With fines of €20 million or 4% of global turnover (whichever is greater), the stick is a hefty one, and the carrot is yet to be seen.

data centre, data protection, data residency, Datacentre, DropBox, EU, News & Analysis

Dropbox opens Hamburg office to reduce US/EU data concerns

Dropbox GermanyDropbox has announced the opening of its latest European office, branching into the German market ahead of plans to open a new data centre in Europe latter in the year.

The company has answered concerns from European customers regarding the transmission of data across the Atlantic by committing to hosting their data within the EU; a region which the company claims is generating the majority of recent growth. This commitment has also been backed up with the company opening new offices in Dublin, London, Paris and Amsterdam, in addition to Hamburg.

Data residency has been an issue for European customers for a number of months since the Court of Justice of the European Union declared Safe Harbour void last October. Since then, there have been a number of efforts to sooth the relationship between the US and the EU, though the issue still remains contentious and newer drafts Safe Harbour have been criticized by various European quarters.

As Europe represents a healthy growth region for the Dropbox, it would appear the team are not prepared to wait for the EU/US data storm to blow over. Opening a new data centre in Germany has the potential for Dropbox to avoid the repercussions of the long-standing dispute.

“From manufacturing to professional services to healthcare, industries in Europe and around the world are discovering the benefits of increased collaboration on Dropbox,” said Thomas Hansen, Global VP of Revenue at Dropbox. “And the opening of our Hamburg office is just a part of our European commitment.

“From co-working spaces to corporations, people bring Dropbox to work, and adoption in Germany has been phenomenal. The top three cities in terms of Dropbox signups are also the largest: Berlin, Hamburg, and Munich. But Karlsruhe and Dresden are the real hotspots when measuring users per capita.”

As with other freemium business models Dropbox has reportedly found difficulties in upgrading customers to the paid-for services. The company launched a new relationship with Adyen last year to offer localized payment models in 12 European countries, build around a direct debit payment mechanism, a more popular model in the European markets, as opposed to PayPal or credit card models.

data protection, EU, Europe, Opinion, Policy and Regulation, regulation

What happens to EU General Data Protection Regulation if the UK votes for a Brexit?

EuropeBusinesses warned not to give up on data reforms just because UK could quit Europe

As the UK prepares to vote on whether to leave the European Union, businesses are being warned not to give up on data reforms inspired by the forthcoming EU General Data Protection Regulation (GDPR).

Businesses across the country have been studying implications of the new Regulation, due to be in force in May 2018, which aims to create a ‘one-stop shop’ for data protection across the European Union.

Some of the key aspects of the bill include huge fines for data breaches, new rules around the collection of personal data and new rights for European citizens to ask for data be deleted or edited. Many businesses will also be required to appoint a Data Protection Officer.

However, the Brexit vote opens up the possibility that the UK could be out of the EU by the time it comes into force.

John Culkin, Director of Information Management at Crown Records Management, said: “It would be tempting for businesses to think that if the UK leaves the EU this regulation would not apply. In fact, that isn’t the case. Although an independent Britain would not be a signatory of the Regulation, in reality it would still be impossible to avoid its implications.

“The Regulation governs the personal data of all European citizens, providing them with greater control and more rights over information held about them. So any company holding identifiable information of an EU citizen, no matter where it is based, needs to be aware. With millions of EU citizens living in the UK, too, it’s hard to imagine that many businesses here would be unaffected.

“The same applies to data breaches involving the personal data of European citizens. So it will still be vital to have a watertight information management system in place which allows businesses to know what information they have, where it is, how it can be edited and who is responsible for it.”

Even if the UK votes to leave the EU, data in Great Britain & Northern Ireland will continue to be regulated by the current Data Protection Act, which was passed in 1998.

A spokesperson for the Information Commissioners’ Office (ICO), an independent body set up to uphold information rights, said: “Although derived from an EU Directive, the Data Protection Act was passed by the UK Parliament and will remain in place after any exit, until Parliament decides to introduce a new law or amend it.

“The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on. The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

Culkin believes there is a real danger that UK businesses will defer crucial reforms of their information management systems – just in case the Brexit vote in June changes the agenda. But he warns it is a big risk.

He said: “Businesses should be thinking about the benefits of good information governance rather than hesitating because of what could happen in the future.

“There is no point putting in place systems that ignore privacy by design, for instance, when that is good procedure – no matter what happens in Europe in June. The same is true of measures to protect a business from data breaches, which have reputational as well as financial implications – no matter who imposes the fine.

“As for personal data, citizens, in the UK are only going to be more demanding about how their data is collected, stored and edited in future – the genie is out of the bottle and it’s not sensible to think that leaving the EU will change it. Preparing for a modern data world is not only about the GDPR.”

This a view shared by the ICO which will continue to ensure organisations meet their information rights obligations no matter how the UK votes.

A spokesperson said: “Ultimately, this is a decision for organisations based on their own particular circumstances. Revisiting and reassessing your data protection practices will serve you well whatever the outcome of the referendum. Investing in GDPR compliance will ensure an organisation has a high standard of data protection compliance that will enable the building of consumer trust.”

data protection, News & Analysis, Trustmarque

The top three cloud security myths: BUSTED

a safe place to workThe rise in global cyber-attacks and the subsequent high-profile press coverage, understandably makes businesses question the security of cloud. After all, the dangers of hosting anything in an environment where data loss or system failure events are attributed to an outside source are magnified. As a result, many CIOs are also still struggling to identify and implement the cloud services most suitable for their business. In fact, research finds over three quarters (79%) of CIOs find it a challenge to balance the productivity needs of employees against potential security threats. Moreover, 84% of CIOs worry cloud causes them to lose control over IT.

But is cloud really more vulnerable than any other infrastructure? And how can organisations mitigate any risk they encounter? The reality is that all systems have vulnerabilities that can be exploited, whether on-premise, in the cloud or a hybrid of the two. It’s safe to say that people fear what they don’t understand – and with cloud becoming increasingly complex, it’s not surprising that there are so many myths attached to it. It’s time to clear up some of these myths.

Myth 1: Cloud technology is still in its infancy and therefore inherently insecure

Cloud has been around for much longer than we often think and can be traced as far back as the 1970’s. The rapid pace of cloud development, coupled with an awakening realisation of what cloud can do for businesses, has thrust it into the limelight in recent years.

The biggest issue CIOs have with cloud is their increasing distance from the physical technology involved. Indeed, many CIO’s feel that if they cannot walk into a data centre and see comforting lights flashing on the hardware, then it is beyond their reach. As a result, many organisations overlook instrumentation in the cloud, so don’t look at the data or systems they put there in the same way they would if it were on a physical machine. Organisations then forget to apply their own security standards, as they would in their own environment, and it is this complacency that gives rise to risk and exposure.

Lady Justice On The Old Bailey, LondonMyth 2: Physical security keeps data safe

It is a common misconception that having data stored on premise and on your own servers is the best form of protection. However, the location of data is not the only factor to consider. The greatest form of defence you can deploy with cloud is a combination of strict access rights, diligent data stewardship and strong governance.

Common security mistakes include not performing full due diligence on the cloud provider and assuming that the provider will be taking care of all security issues. In addition, it is still common for organisations to not take into account the physical location of a cloud environment and the legal ramifications of storing data in a different country. Indeed, a recent European Court of Justice ruling found the Safe Harbour accord was invalid as it failed to adequately protect EU data from US government surveillance. Cloud providers rushed to assure customers they were dealing with the situation, but the main takeaway from this is to not believe that a cloud provider will write security policy for you – organisations need to take ownership.

Myth 3: Cloud security is the provider’s responsibility

All of the major public clouds have multiple certifications (ISO27001, ISO27018, ENISA IAF, FIPS140-2, HIPAA, PCI-DSS) attained by proving they have controls to ensure data integrity.

Security CCTV camera in office buildingThe real risk comes when organisations blindly park data, thinking that security is just implicit. Unless the data is protected with encryption, firewalls, access lists etc., organisations remain vulnerable. The majority of cloud exposures can in fact be traced back to a failure in policy or controls not being applied correctly – look at the TalkTalk hack for example, and consider the alternate outcome had the database been encrypted.

Education and ownership is the future

The speed at which cloud is evolving can understandably cause a few teething problems. But it is the responsibility of providers and clients alike to take ownership of their own elements and apply security policies which are right for their business, their risk profile and the data which they hold. As with any technological change, many interested parties quickly jumped on the cloud bandwagon. But the allure of a technology can inhibit a lack of critical thinking, and the broader view of choosing the right application at the right cost, with appropriate security to mitigate risk, is lost. Remember, the cloud is not inherently secure and given the fact it stands to underpin enterprise operations for years to come, it’s worth approaching it not as a bandwagon but as an important part of enterprise infrastructure.

Written by Mark Ebden, Strategic Consultant, Trustmarque

data protection, News & Analysis, Shadow IT, VMware

24% of businesses expect a cyberattack within the next 90 days

Hacker performing cyber attack on laptopResearch from VMWare has highlighted 24% of office workers and IT decision makers believe their organization will be the victim of a cyberattack with the next 90 days, mainly due to the belief that the threats are advancing at a faster pace than a company’s defences.

Although the statistics imply the event of a cyberattack is becoming normalized within the industry, the findings do also suggest investments from enterprise organizations are not meeting the demanding trends of security, as 39% of the respondents believe one of the greatest vulnerabilities to their organisation to a cyberattack is threats moving faster than their defences.

“The issue around accountability is symptomatic of the underlying challenge faced as organisations seek to push boundaries, transform and differentiate, as well as secure the business against ever-changing threats”, commented Joe Baguley, CTO of VMware in EMEA. “Today’s most successful organisations can move and respond at speed as well as safeguard their brand and customer trust. With applications and user data on more devices in more locations than ever before, these companies have moved beyond the traditional IT security approach which may not protect the digital businesses of today.”

While security could be seen as something of a sound-bite for board-level execs in recent months, the importance of spreading cybersecurity awareness and responsibility throughout the organization have been made clear by the IT department. Of the IT decision makers who were surveyed as part of the research, 22% said the board should be most aware of the necessary actions to take following a significant data breach, and 40% said the CEO should be this person.

Industry insiders have commented to BCN in recent weeks that the use of security comments by execs highlighted the importance of cybersecurity has been an effort to appease customers and stakeholders, and there is little follow through in terms of investment in new technologies. Research from the Economist Intelligence Unit also backs up these comments as its own survey said only 5% of UK corporate leaders consider cyber security a priority for their business, contradicting comments made by execs in the press.

Shadow IT was another area which featured in the report, as unauthorized devices and software are seemingly still plaguing IT decision makers throughout the industry. 55% of the IT decision makers surveyed believe their own employees are the greatest security threat a company faces, which is also backed up by the statistics that 26% would use their personal device to access corporate data and almost a fifth, 16%, would risk being in breach of the organisation’s security to carry out their job effectively.

“Security is not just about technology. As the research shows, the decisions and behaviours of people will impact the integrity of a business,” said Baguley. “However, this can’t be about lock-down or creating a culture of fear. Smart organisations are enabling, not restricting, their employees – allowing them to thrive, adapt processes and transform operations to succeed.”

cloud policy, data protection, Free Trade, News & Analysis, Policy and Regulation, Privacy

BSA releases rankings of global cloud policies – UK drops and US rises on leader board

A racehorse and jockey in a horse raceThe BSA | The Software Alliance has released its global ranking of cloud computing policies, assessing the cloud readiness and policies of the world’s 24 leading ICT economies, with the UK dropping down the leader board.

The UK dropped two places in the rankings to ninth, whereas Japan maintained its position at the top of the leader board, and the US improving its position coming in second place. The 24 countries ranked in the research account for roughly 80% of global ICT revenues. Each country is ranked depending on its strengths and weaknesses in seven policy areas; data privacy, security, cybercrime, intellectual property right, support for standards, promotion of free-trade and IT readiness & broadband deployment.

“It’s worrying to see the UK starting to fall behind other faster-moving nations in creating policies which enable cloud innovation,” said Victoria Espinel, CEO of the BSA. “It’s critical for global leading nations like the UK to be on the front-foot in creating robust policy frameworks fit for the digital age to prevent protectionism, so governments, businesses and consumers can benefit from the various benefits cloud computing offers. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

The UK scored particularly well when it came to intellectual property rights, security and IT readiness, where it ranked fourth, second and first respectively, but badly in the cybercrime valuation, coming in at number 21 out of 24. Within the other areas it hit the middle of the road, and while overall performance was not negative, the UK fell behind due to the speed and efficiency in which other nations are developing their policies.

In the cybercrime section, where the UK was particularly poor, the report highlighted while the UK was in general compatible with the Budapest Convention on Cybercrime, it has not yet implemented laws relating to misuse of devices, as required by Article 6 of the Convention. The report also stated outdated data registration laws are acting as a barrier to some cloud services, as businesses are required to register their data sets with the regulator, which seems to be an unnecessary burden.

Leaderboard

2016 BSA Global Cloud Computing Scorecard – click to enlarge

The US performed favourably across the majority of the ranking categories, particularly on support for industry standards (first), promotion of free trade (first) and IT readiness (third). The US has been recognized by the report as a particular advocate of free trade and harmonization, as well as standardization, as it “continued to remove barriers to international information technology (IT) interoperability”.

Data privacy was the area in which it performed the worst, where it stated there are no single privacy law in the US, as well as numerous policies which have the potential to create a complicated and confusing landscape. Current key sectoral privacy laws include the Federal Trade Commission Act, the Electronic Communications Privacy Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act and the Telephone Consumer Protection Act.

The report also drew attention to the compatibility between the US with the privacy principles in the EU Data Protection Directive, of which there is little. According to the report “US organizations also have a range of voluntary options to ensure their data protection practices are compatible with the principles in the EU Directive”, though these are not backed up by government policy or legislation. This has been a point of discussion throughout the industry, following Safe Harbour being shot down, and its successor receiving criticism from certain corners of the EU.

Russsia privacy law

Russian Privacy Law – click to enlarge

While the report does outline progress in the development of IT and cloud policies throughout the world, it does also bring attention to several nations who have been demonstrating negative trends. Countries such as China and Russia have implemented policy which could be seen to inhibit the growth of cloud computing within their countries, by limiting the ability of cloud computing service providers to adequately move data across borders.

“The Scorecard shows that countries are eager to welcome cloud computing and its myriad economic benefits, and many of them are creating a favourable regulatory and legal environment,” said Espinel. “Unfortunately, the Scorecard also shows some countries are heading down a path of treating cloud computing as the next frontier of protectionism. The report is a wakeup call for all governments to work together to ensure the benefits of the cloud around the globe.”

Russia for example has implemented a legal requirement that data operators store the personal data of Russian citizens on servers based in Russia, as well as personal data information system (irrelevant of the simplicity of the database) must be certified by the Federal Service for Technical and Export Control (FSTEC). In turn this data can only be used on software and hardware which has also been approved by the FSTEC.

The BSA believes will have a negative impact on the company’s digital economy, stating “The local requirements are not compliant with generally accepted international standards, and Russia does not participate in the Common Criteria Recognition Agreement (CCRA).”

data protection, Microsoft, News & Analysis, Policy and Regulation

Microsoft files lawsuit against US government and secret snooping orders

Lady Justice On The Old Bailey, LondonMicrosoft has filed a new lawsuit in federal court against the United States government arguing the right that customers should have the right to know when the state accesses their emails or records.

Under current law, the government has the right to demand access to customer information, while also issuing orders to companies such as Microsoft to keep these types of legal demands secret. Microsoft claim these orders are becoming too often common place; rather than common routine, these secrecy issues should be the exception not the rule.

“We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records,” said Brad Smith, President and Chief Legal Officer at Microsoft on the company blog. “Yet it’s becoming routine for the U.S. government to issue orders that require email providers to keep these types of legal demands secret. We believe that this goes too far and we are asking the courts to address the situation.

“Cloud computing has spurred a profound change in the storage of private information. Today, individuals increasingly keep their emails and documents on remote servers in data centres – in short, in the cloud. But the transition to the cloud does not alter people’s expectations of privacy and should not alter the fundamental constitutional requirement that the government must – with few exceptions – give notice when it searches and seizes private information or communications.”

While the company recognizes there are certain circumstances where secrecy would be required, it would appear the US government is using the legal demands to keep secrecy as a default setting. Microsoft has claimed the demands violates the company’s First Amendment right to free speech, as well as the customers Fourth Amendment right, which gives people and businesses the right to know if the government searches or seizes their property.

“Over the past 18 months, the U.S. government has required that we maintain secrecy regarding 2,576 legal demands, effectively silencing Microsoft from speaking to customers about warrants or other legal process seeking their data,” said Smith. “Notably and even surprisingly, 1,752 of these secrecy orders, or 68% of the total, contained no fixed end date at all. This means that we effectively are prohibited forever from telling our customers that the government has obtained their data.”

Microsoft’s case is built on the perception the Electronic Communications Privacy Act is currently being abused by US officials, but also the fact the act is dated and no longer relevant. The act, which is seemingly unpopular with technology firms, has been in place since 1986. Microsoft argues the time period between the act being written and the widespread use of the internet is too long for the legislation to be relevant to today’s world.

“While today’s lawsuit is important, we believe there’s an opportunity for the Department of Justice to adopt a new policy that sets reasonable limitations on the use of these types of secrecy orders,” said Smith. “Congress also has a role to play in finding and passing solutions that both protect people’s rights and meet law enforcement’s needs. If the Department of Justice doesn’t act, then we hope that Congress will amend the Electronic Communications Privacy Act to implement reasonable rules.”

The company believes the act should be updated in three areas. Firstly, from a transparency perspective, the government should be held accountable when it snoops through customer data, and in the majority of cases the customer should be informed. Second, there should be a focus on digital neutrality as customers should not receive less notice of government activities simply because emails are stored in the cloud. Finally, there should be a necessity clause which would limit what the government can keep secret. In these circumstances, Microsoft wants the right to tell its customers what has been seen outside of the necessity clause.