Category Archives: data protection

IBM and Box extend partnership to offer greater flexibility on data residence

Partnership hand holdingIBM has extended its partnership with Box to provide enterprises the choice to store data regionally in Europe and Asia on the IBM Cloud.

The IBM cloud will be available as part of Box’s new Box Zones technology, and is the first time that Box customers will have the choice of where to store their data. IBM will also utilize the Box Zones offering to extend its hybrid cloud proposition.

“Organizations want to tap into all of the benefits of the cloud while retaining the security, performance, control and other attributes they might achieve with local data centre infrastructure,” said John Morris, general manager at IBM Cloud Object Storage. “With Box Zones and the IBM Cloud, enterprise customers across Europe and Asia will soon have the choice to leverage the IBM Cloud global footprint locally, and uniquely support hybrid cloud and on-premises deployments, integrating data between Box Zones and on-premises content repositories”

Since the launch of the partnership in June 2015, the pair has integrated a number of different products, including a new version of the IBM MobileFirst for iOS Expert Seller app that is built on Box Platform.

“Box and IBM are focused on bringing world-class technology to enterprises across the globe, and on building dynamic content and collaboration solutions that transform the way our customers do business,” said Aaron Levie, CEO of Box. “Box Zones enables us to combine Box’s rich, intuitive content management experience and collaboration tools with IBM Cloud’s powerful global infrastructure to overcome many of the data storage concerns faced by businesses in Europe and Asia.”

The launch would appear to be well timed as transatlantic data movement and residence has been under continuous scrutiny following the European Court of Justice’s decision to strike down Safe Harbour last October. While EU-US Privacy Shield has been put to the industry, receiving backing from Microsoft in the process, industry insiders have told BCN that the new policy is unlikely to have much impact on the concerns of EU citizens and businesses. As the EU-US Privacy Shield is a policy, not law, companies are likely to refer directly to national legislation as opposed to any European directive.

IBM’s and Box’s partnership could be perceived as a shrewd move to counter any arguments that potential customers have with regard to their data residence and overall compliance.

Microsoft endorses EU-US Privacy Shield despite criticism from EU industry commentators

Data protectionMicrosoft has become one of the first major US tech companies to confirm its support of the EU-US Privacy Shield, the successor of the now defunct Safe Harbour Agreement.

Data transfer between the EU and the US has been on relative shaky legal grounds over recent months, as between the EU striking down the Safe Harbour Agreement and introducing the EU-US Privacy there has not been an official framework. While Microsoft has publicly stated its approval of the agreement, it does not believe that it goes far enough.

“We recognize that privacy rights need to have effective remedies. We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved,” said John Frank, Vice President EU Government Affairs at Microsoft, on his blog.

“We continue to believe today that additional steps will be needed to build upon the Privacy Shield after it is adopted, ranging from additional domestic legislation to modernization of mutual legal assistance treaties and new bilateral and ultimately multilateral agreements,” said Frank. “But we believe that the Privacy Shield as negotiated provides a strong foundation on which to build.”

Twitter commentsBack in October, the European Court of Justice decided that Safe Harbour did not give data transfers between Europe and the US adequate protection, and declared the agreement which had been in place since 2000 void. The EU-US Privacy Shield, Safe Harbour’s successor, has also come under criticism in recent weeks as concerns have been raised to how much protection the reformed regulations protect European parties.

While Microsoft does appear happy with the new agreement, there have been industry commentators who have outlined their own concerns. Privacy activist Max Schrems, who has been linked to the initial downfall of Safe Harbour, said in a statement reacting to Privacy Shield, “Basically, the US openly confirms that it violates EU fundamental rights in at least six cases.” Others to react negatively are German MP Jan Philipp Albrecht who commented on twitter, “This is just a joke. @EU_Commission sells out EU fundamental rights and puts itself at risk to be lectured by CJEU again”, as well as whistle blower Edward Snowden who said, “It’s not a “Privacy Shield”, it’s an accountability shield. Never seen a policy agreement so heavily criticized.”

As part of the announcement, Microsoft has also committed to responding to any complaints about its participation in Privacy Shield within 45 days.

Socitm outlines concerns for local government ahead of new data protection regulations

Compliance ConceptThe Society of Information Technology Management, Socitm, has stated that local government bodies should review all information governance arrangements in light of changes to EU-US data protection policies.

In its latest briefing, Data protection: <Control><All><Delete>?, Socitm has recommended that all IT professionals update their information, security and data protection policies, as councils could face difficulty in remaining compliant under the new legislative framework.

Data protection has been a hot topic in recent months, following the European Court of Justice striking down the Safe Harbor agreement last year, as well criticisms of its replacement, the EU-US Privacy Shield. “Legal action in the wake of the Snowden revelations challenged the degree of protection for citizens’ data provided by Safe Harbor,” Socitm said in the statement. “New measures giving foreigners’ data some legal protection have been put in place, but it is not yet known whether the European authorities will consider that US privacy protection is now adequate.”

In recent weeks, Privacy activist Max Schrems, who has been linked to the initial downfall of Safe Harbour, said in a statement reacting to Privacy Shield, “Basically, the US openly confirms that it violates EU fundamental rights in at least six cases. The commission claims that there is no ‘bulk surveillance’ any more, when its own documents say the exact opposite.”

Socitm said in the statement that new European Data Protection Regulation will also update data laws in the UK, which currently don’t account for new technologies. The UK Data Protection Law was written in 1998, several years before the launch of social media platforms Facebook and Twitter, as well as the surge in data usage from both consumers and enterprise. Socitm stated that councils could be let in a vulnerable position when the regulations are brought in officially.

The regulations, a draft of which were released in January, stated that data protection legislation would have to be updated for the digital age, consumers would have to have access to their own data to understand how and where it is utilized, as well as increasing security standards for an individual’s data.

The fear here seems to be focused around the volume of changes that would need to be enforced once the new regulations are in place. It would appear Socitm is concerned that local councils will not be able to keep pace, leaving the councils in a non-compliant and susceptible position.

“Accommodating the changes will be a matter of amending existing processes rather than inventing new ones,” said Dr Andy Hopkirk, Head of Research at Socitm. “Some of the changes could be onerous and problematic. For example, councils will need to be able to deal correctly and completely with ‘right to be forgotten’ requests – perhaps the single greatest challenge in an almost ubiquitously networked and distributed computing world.”

US revealed to have 46% of all data centres despite EU concerns

Data protectionNew findings from Synergy Research Group show that 46% major cloud and internet data centre sites are located in the US, with second placed China only accounting for 7%.

The research is based on an analysis of the data centre footprint of 17 of the world’s major cloud and internet service firms and highlights the dominance of the US in the cloud market place. Japan is listed at third with a 6% market share and Germany was the largest European player with just 4%.

“Given that explosive growth in cloud usage is a global phenomenon, it is remarkable that the US still accounts for almost half of the world’s major data centres, but that is a reflection of the US dominance of cloud and internet technologies,” said John Dinsdale, Research Director at Synergy Research Group.

Considering the dominance of AWS, Microsoft and Google in the cloud market space, it’s unsurprising that the US is top of the rankings, though recent concerns from European countries regarding movement of its citizens’ data outside of the EU could complicate matters. Germany is one country which is sensitive to any changes in data protection policy and is considered to have some of the most stringent data protection laws worldwide.

“The other leading countries are there due to either their scale or the unique characteristics of their local markets. Perhaps the biggest surprise is that the UK does not feature more prominently, but that situation will change this year with AWS, Microsoft and Google all opening major data centres in the country,” said Dinsdale.

Back in October, the European Court of Justice decided that Safe Harbour did not give data transfers between Europe and the US adequate protection, and declared the agreement which had been in place since 2000 void. The EU-US Privacy Shield, Safe Harbour’s successor, has also come under criticism in recent weeks as concerns have been raised to how much protection the reformed regulations protect European parties.

While the new agreement has been initially accepted, privacy activist Max Schrems, who has been linked to the initial downfall of Safe Harbour, said in a statement reacting to Privacy Shield, “Basically, the US openly confirms that it violates EU fundamental rights in at least six cases. The commission claims that there is no ‘bulk surveillance’ any more, when its own documents say the exact opposite.” A letter from Robert Litt General Counsel of the Office of the Director of National Intelligence, confirmed that there were six circumstances where the NSA will be allowed to use data for undefined “counter-terrorism” purposes

While the concentration of data centres in the US should not come as a huge surprise, it puts into further context the fears of European parties who are concerned with the effectiveness of any EU-US data protection policies.

Druva’s data protection service now available on Azure

Cybersecurity2Converged data protection firm Druva has allied itself with Microsoft Azure in a bid to expand its cloud presence to a wider public cloud and infrastructure market.

The new relationship gives Druva customers more global options for their data storage, privacy and security needs and a more impressive infrastructure vendor for companies with sensitive compliance and legal issues. Partnering with Azure helps Druva settle any regional data privacy issues that might otherwise dissuade them from using Druva as more companies realise that on-premise storage is becoming unsustainable, according to Druva.

Druva’s new Azure relationship, it says, gives customers have a wider set of choices as they try to decide how to keep up with data growth, security and regionally specific regulation requirements.

Azure will help Druva meet international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2. Among the country standards it meets are the Australia IRAP, UK G-Cloud and Singapore MTCS. Microsoft was also the first to adopt the uniform international code of practice for cloud privacy, ISO/IEC 27018, which governs the processing of personal information by cloud service providers. Microsoft’s data centre locations will give Druva 21 storage regions around the globe, including Canada and China which will help Druva meet data residency needs increasingly specified by clients, it claims.

Customers need stronger data protection and security in the cloud now they’re running sensitive workloads, according to Druva CEO Jaspreet Singh. Microsoft will broaden Druva’s cloud-related options and give customers additional choice for deploying in the cloud securely and conveniently. “Druva has quickly grown to become the de facto standard for data protection workloads in the public cloud,” said Singh.

Azure will extend the data storage footprint of Druva inSync, the analyst endpoint and cloud service data protection system. Druva inSync plans will begin at $6/user per month. Azure support will be generally available in 45 days.

Opinion divided on impact of CISA ruling on Safe Harbour

Open DataThe new US Cybersecurity Information Sharing Act (CISA), passed in the US Senate on Tuesday, has made it even harder for data sharing between the US and EU, according to critics.

However, attitudes to data sovereignty and the institution of a new Safe Harbour agreement seem to be polarising across both sides of the Atlantic.

Former White House cyber security advisor French Caldwell, chief evangelist at GRC software company MetricStream, said he recognised the ‘libertarian’ argument but that those at the front line in the IT industry have a more realistic grasp of the immediate issues. “Libertarians are strongly opposed and it’s easy to sympathise with that position. Once the door opens to information sharing, the arrangement might go from voluntary to mandatory over time,” said Caldwell.

However, security people on the ‘front lines’, at banks, electrical utilities, energy companies and hospitals, are fighting a war, he said. “Well financed gangs of criminal hackers are attacking businesses and government agencies daily. And as we’ve seen over the last few years, nation-states are probing for weakness. These cyberattacks amount to cyberwar,” said Caldwell.

The significant privacy protections in the CISA legislation will provide protections from anti-trust rules. Better still, it would bring data holders into a protective information sharing culture with federal agencies, he argued.

However, a UK counterpart saw the CISA ruling differently. “This is bad news. Just as the EU makes it clear that it’s a serious problem if security agencies get easy access to personal data, the US Government makes it even easier for this snooping to happen,” said Mike Weston, CEO of data science consultancy Profusion.

The Cybersecurity Information Sharing Act will make it significantly harder for the US and Europe to agree a replacement for the collapsed Safe Harbour provisions, according to Weston. “Without assurances that European citizens’ personal data is protected, it’s hard to see how such an agreement might be reached. The biggest stumbling block is that while US citizens are afforded some protection by the USA Freedom Act, none applies to citizens of other nations.”

In a Microsoft blog posting its chief legal office Brad Smith called on the US government to respect European Union privacy laws for transatlantic personal data in the post-Safe Harbour era.

The note describes privacy as a ‘fundamental human right’ and urges the US government to commit to only accessing private information stored in the United States about EU citizens in a manner that ‘conforms with EU law, and vice versa’.

CSA tool helps cloud users evaluate data protection posture of providers

The CSA says the tool can help customers and providers improve their cloud data protection practices

The CSA says the tool can help customers and providers improve their cloud data protection practices

The Cloud Security Alliance this week unveiled the next generation of a tool designed to enable cloud customers to evaluate the level of data protection precautions implemented by cloud service providers.

The Privacy Level Agreement (PLA) v2 tool aims to give customers a better sense of the extent to which their providers have practices, procedures and technologies in place to ensure data protection vis-à-vis European data privacy regulations.

It also provides a guidance for cloud service providers to achieve compliance with privacy legislation in EU, and on how these providers can disclose the level of personal data protection they offer to customers.

“The continued reliance and adoption of the PLA by cloud service providers worldwide has been an important building block for developing a modern and ethical privacy-rich framework to address the security challenges facing enterprises worldwide,” said Daniele Catteddu, EMEA managing director of CSA.

“This next version that addresses personal data protection compliance will be of significant importance in building the confidence of cloud consumers,” Catteddu said.

The tool, originally created in 2013, was developed by the PLA working group, which was organised to help transpose the Art. 29 Working Party and EU National Data Protection Regulator’s recommendations on cloud computing into an outline CSPs can use to disclose personal data handling practices.

“PLA v2 is a valuable tool to guide CSPs of any size to address EU personal data protection compliance,” said Paolo Balboni, co-chair of the PLA Working Group and founding partner of ICT Legal Consulting. “In a market where customers still struggle to assess CSP data protection compliance, PLA v2 aims to fill this gap and facilitate customer understanding.”

ISO 27018 and protecting personal information in the cloud: a first year scorecard

ISO 27018 has been around for a year - but is it effective?

ISO 27018 has been around for a year – but is it effective?

A year after it was published,  – the first international standard focusing on the protection of personal data in the public cloud – continues, unobtrusively and out of the spotlight, to move centre stage as the battle for cloud pre-eminence heats up.

At the highest level, this is a competitive field for those with the longest investment horizons and the deepest pockets – think million square foot data centres with 100,000+ servers using enough energy to power a city.  According to research firm Synergy, the cloud infrastructure services market – Infrastructure as a Service (Iaas), Platform as a Services (PaaS) and private and hybrid cloud – was worth $16bn in 2014, up 50 per cent on 2013, and is predicted to grow 30 per cent to over $21bn in 2015. Synergy estimated that the four largest players accounted for 50 per cent of this market, with Amazon at 28 per cent, Microsoft at 11 per cent, IBM at 7 per cent and Google at 5 per cent.  Of these, Microsoft’s 2014 revenues almost doubled over 2013, whilst Amazon’s and IBM’s were each up by around half.

Significantly, the proportion of computing sourced from the cloud compared to on-premise is set to rise steeply: enterprise applications in the cloud accounted for one fifth of the total in 2014 and this is predicted to increase to one third by 2018.

This growth represents a huge increase year on year in the amount of personal data (PII or personally identifiable information) going into the cloud and the number of cloud customers contracting for the various and growing types of cloud services on offer. but as the cloud continues to grow at these startling rates, the biggest inhibitor to cloud services growth – trust about security of personal data in the cloud – continues to hog the headlines.

Under data protection law, the Cloud Service Customer (CSC) retains responsibility for ensuring that its PII processing complies with the applicable rules.  In the language of the EU Data Protection Directive, the CSC is the data controller.  In the language of ISO 27018, the CSC is either a PII principal (processing her own data) or a PII controller (processing other PII principals’ data).

Where a CSC contracts with a Cloud Service Provider (CSP), Article 17 the EU Data Protection Directive sets out how the relationship is to be governed. The CSC must have a written agreement with the CSP; must select a CSP providing ‘sufficient guarantees’ over the technical security measures and organizational measures governing PII in the Cloud service concerned; must ensure compliance with those measures; and must ensure that the CSP acts only on the CSC’s instructions.

As the pace of migration to the cloud quickens, the world of data protection law continues both to be fragmented – 100 countries have their own laws – and to move at a pace driven by the need to mediate all competing interests rather than the pace of market developments.

In this world of burgeoning cloud uptake, ISO 27018 is proving effective at bridging the gap between the dizzying pace of Cloud market development and the slow and uncertain rate of legislative change by providing CSCs with a workable degree of assurance in meeting their data protection law responsibilities.  Almost a year on from publication of the standard, Microsoft has become the first major CSP (in February 2015) to achieve ISO 27018 certification for its Microsoft Azure (IaaS/PaaS), Office 365 (PaaS/Saas) and Dynamics CRM Online (SaaS) services (verified by BSI, the British Standards Institution) and its Microsoft Intune SaaS services (verified by Bureau Veritas).

In the context of privacy and cloud services, ISO 27018 builds on other information security standards within the IS 27000 family. This layered, interlocking approach is proving supple enough in practice to deal with the increasingly wide array of cloud services. For example, it is not tied to any particular kind of cloud service and, as Microsoft’s certifications show, applies to IaaS (Azure), PaaS (Azure and Office 365) and SaaS (Office 365 and Intune). If, as shown in the graphic below, you consider computing services as a stack of layered elements ranging from networking (at the bottom of the stack) up through equipment and software to data (at the top), and that each of these elements can be carried out on premise or from the cloud (from left to right), then ISO 27018 is flexible enough to cater for all situations across the continuum.

Software as a Licence to Software as a Service: the Cloud Continuum

Software as a Licence to Software as a Service: the cloud continuum

Indeed, the standard specifically states at Paragraph 5.1.1:

“Contractual agreements should clearly allocate responsibilities between the public cloud PII processor [i.e. the CSP], its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture).  For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications.”

Equally, CSPs will generally not know whether their CSCs are sending PII to the cloud and, even if they do, they are unlikely to know whether or not particular data is PII. Here, another strength of ISO 27018 is that it applies regardless of whether particular data is, or is not, PII: certification simply assures the CSC that the service the CSP is providing is suitable for processing PII in relation to the performance by the CSP of its PII legal obligations.

Perhaps the biggest practical boon to the CSC however is the contractual certainty that ISO 27018 certification provides.  As more work migrates to the cloud, particularly in the enterprise space, the IT procurement functions of large customers will be following structured processes in order to meet the requirements of their business and, in certain cases, their regulators. In their requests for information, proposals and quotations from prospective CSPs, CSCs now have a range of interlocking standards including ISO 27018 to choose from in their statements of requirements for a particular Cloud procurement.  As well as short-circuiting the need for CSCs to spend time in writing up detailed specifications of their own requirements, verified compliance with these standards for the first time provides meaningful assurance and protection from risk around most aspects of cloud service provision. Organisations running competitive tenders can benchmark bidding CSPs against each other on their responses to these requirements, and then include as binding commitments the obligations to meet the requirements of the standards concerned in the contract when it is let.

In the cloud contract lifecycle, the flexibility provided by ISO 27018 certification, along with the contract and the CSP’s policy statements, goes beyond this to provide the CSC with a framework to discuss with the CSP on an ongoing basis the cloud PII measures taken and their adequacy.

In its first year, it is emerging that complying, and being seen to comply, with ISO 27018 is providing genuine assurance for CSCs in managing their data protection legal obligations.  This reassurance operates across the continuum of cloud services and through the procurement and contract lifecycle, regardless of whether or not any particular data is PII.  In customarily unobtrusive style, ISO 27018 is likely to go on being a ‘win’ for the standards world, cloud providers and their customers, and data protection regulators and policy makers around the world.


Microsoft to improve transparency, control over cloud data

Microsoft wants to improve the security of its offerings

Microsoft wants to improve the security of its offerings

Microsoft has announced a series of measures to give customers more control over their cloud-based data, a move it claims will improve transparency around how data is treated as well as the security of that data.

The company announced enhanced activity logs of user, admin and policy-related actions, which customers and partners can tap into through a new Office 365 Management Activity API to use for compliance and security reporting.

Microsoft said by the end of this year it plans to introduce a Customer Lockbox for Office 365, which will give Office users the ability to approve or reject a Microsoft engineer’s request to log into the Office 365 service.

“Over the past few years, we have seen the security environment change and evolve. Cyber threats are reaching new levels, involving the destruction of property, and governments now act both as protectors and exploiters of technology. In this changing environment, two themes have emerged when I talk with our customers – 1) they want more transparency from their providers and more control of their data, and 2) they are looking for companies to protect their data through leading edge security features,” explained Scott Charney, corporate vice president, trustworthy computing at Microsoft.

“In addition to greater control of their data, companies also need their technology to adhere to the compliance standards for the industries and geographic markets in which they operate.”

The company is also upping its game on security and encryption. Office 365 already encrypts data in transit, but in the coming months Charney said the company plans to introduce content-level encryption, and by 2016 plans to enable the ability for customers to require Microsoft to use customer-generated and customer-controlled encryption keys to encrypt their content at rest.

It also plans to bolster network security through Azure-focused partnerships with the likes of Barracuda, Check Point, Fortinet, Websense, Palo Alto Networks, F5 and Alert Logic, and broaden the security capabilities of its enterprise mobility management suite.

Microsoft has over the past couple of years evolved into a strong proponent of and active participant in discussions around data security and data protection, including legislative change impacting these areas in the US. It’s also among a number of US cloud providers that are convinced many still lack trust in the cloud from a security standpoint, consequently hampering its ability to make inroads into the cloud market, which gives it an added incentive to double down on securing its own offerings.

EU data protection authorities rubber-stamp AWS’ data processing agreement

EU data protection authorities have rubber-stamped AWS' data protection practices

EU data protection authorities have rubber-stamped AWS’ data protection practices

The group of European Union data protection authorities, known as the Article 29 Working Party (WP29), has approved AWS’ Data Processing Agreement, which the company said would help reassure customers it applies high standard of security and privacy in handling their data, whether moved inside or out of the EU.

Amazon said its inclusion of standardised model clauses within its customer contracts, and the WP29’s signoff of its contract, should help give customers more confidence in how it treats their data.

“The security, privacy, and protection of our customer’s data is our number one priority,” said Werner Vogels, chief technology officer, Amazon.

“Providing customers a DPA that has been approved by the EU data protection authorities is another way in which we are giving them assurances that they will receive the highest levels of data protection from AWS. We have spent a lot of time building tools, like security controls and encryption, to give customers the ability to protect their infrastructure and content.”

“We will always strive to provide the highest level of data security for AWS customers in the EU and around the world,” he added.

AWS already boasts a number of highly regulated clients in the US and Europe, and has made strides to appease the security and data-sovereignty-conscious customers. The company has certified to ISO 27001, SOC 1, 2, 3 and PCI DSS Level 1, is approved to provide its services to a number of banks in Europe, and is working with the CIA to build a massive private cloud platform.

More recently AWS added another EU availability zone based in Franfkurt; it operates one in Dublin.

The rubber-stamping seems to have come as welcome news to some European members of parliament, which have for the past few years been actively working on data protection reform in the region.

“The EU has the highest data protection standards in the world and it is very important that European citizens’ data is protected,” said Antanas Guoga, Member of the European Parliament.

“I believe that the Article 29 Working Party decision to approve the data proceeding agreement put forward by Amazon Web Services is a step forward to the right direction. I am pleased to see that AWS puts an emphasis on the protection of European customer data. I hope this decision will also help to drive further innovation in the cloud computing sector across the EU,” Guoga added.