Cloud ignorance exposed by Commissioner
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
If your company uses smartphones are you using overseas ICT infrastructure?
According to the majority of government agencies and companies responding to the Privacy Commissioner’s survey on the use of overseas ICT infrastructure in cloud computing, the answer is “No.”
“That was the most startling result,” Commissioner Marie Shroff told Computerworld. “Some of the other results are not good, but they weren’t such a surprise. But this one was a surprise and that was actually something we added into the survey at the last minute. We suddenly thought maybe we’d better specify and ask them if they have internet-capable phones, because there is a possibility they don’t realise what they are doing [that smartphones connect to overseas infrastructure] and sure enough, that is what the results showed.”
In the survey of 50 respondents, 46 said their organisation used mobile internet/email devices. But when asked ‘whose overseas infrastructure does your organisation use?’ just over half – 26 respondents – stated they didn’t use overseas infrastructure at all. A further six respondents said only their own organisation’s overseas infrastructure was used.
Although the survey number is small, it includes large government departments such as the Ministry of Social Development and police, and major companies such as ASB Bank, Fonterra and Air New Zealand.
Shroff says the results show a large number of respondents that send data overseas do not check the overseas organisation’s use and management of the information, and often the decision to offshore information is made on an ad hoc basis.
She released the survey results during an event in Auckland to mark Privacy Week (May 1- 7). At the event, questions were asked about companies’ liability, if data is offshore and there is a security breach.
“You’re responsible for it so it is really important for you to get some really good controls in place,” says Katrine Evans, assistant commissioner for legal and policy. “That is not to say that mistakes won’t happen, they will happen. But you have got to do what is reasonable to stop them from happening.”
So what is “reasonable”?
Shroff says encrypting the data, ensuring there are controls over the use and retrieval of data is written into contracts with overseas providers, and making sure those controls are monitored, are among the steps a business that offshores client’s data should take.
“If, for example, you have a rogue employee we won’t necessarily ping you as hard as we would, if its clearly something happening in the context of negligence as it is in the context of trying really hard and perhaps just having a bit of bad luck.”
In the survey there was no clear market leader in the cloud environment, with a range of vendors, including big names such as Google, IBM, Amazon and Microsoft, being cited.
Most of the information is offshored to Australia and the US.
Shroff says she is working on a global basis with privacy regulators on the issue of privacy in the cloud. “My general impression is that at least some of the cloud computing providers, the very big ones, are conscious of this and they in turn want to do the best for their customers in order to make sure the businesses don’t damage their relationships.
“Business in a sense has got it in a way that perhaps government haven’t. That complex ICT is something that needs to be handled with the utmost caution and care.”
When asked by Computerworld about the seeming disconnect between the Department of Internal Affairs pushing cloud computing solutions, and the IRD appearing to caution against offshoring, (as with the warning about accounting records in December) Shroff replied that they the departments worked in different areas of the government, but she said it was a struggle in most countries to keep tax law up to date with ongoing developments in ICT.
See also Regulatory Compliance in the cloud
Local "cloud" offerings or a combination of private and hybrid cloud models would keep NZ business in NZ and data sovereignty is no longer an issue.
If your data is stored in another country, you're paying international internet charges to access it and it is subject to the information management laws of the country in which it resides.
I'm sure Archives NZ would have something to say about that...
Posted by Dave at 13:05:27 on May 17, 2011
So the issue is not so much about security but more about who has access to the data. These companies cannot tell the governments of the hosted data where to get off.
Not all information is sensitive but can you imagine a scenario where government contracts are availordable in one country and bids are received by companies from other countries. If those bidding companies have data residing in the host country and are competing with local companies...it only takes a few backhanders to start looking... oh..I forgot - politicians would never do those kinds of favours for their friends!
Posted by Brent at 12:42:24 on May 16, 2011
Posted by Anonymous at 12:47:27 on May 11, 2011
Posted by Anonymous at 19:45:40 on May 12, 2011
Posted by Anonymous at 12:23:46 on May 11, 2011
Posted by Anonymous at 19:43:15 on May 12, 2011
If that doesn't give you pause for thought, I suggest you contact your bank and suggest that they outsource their help desk to India...
Posted by Dave at 12:53:37 on May 11, 2011
Posted by Anonymous at 23:05:53 on May 11, 2011