News

CSPs Must Restore Trust in Cloud

Cloud
The recent PRISM scandal highlights the need for end users to understand government attitudes to surveillance and privacy. According to APM Group, the Cloud Industry Forum’s (CIF) independent certification partner, the case casts light on the important questions end users need to be asking of their Cloud Service Providers (CSPs), if they are to prevent their data from unwittingly being stored in undesirable jurisdictions.

According to Richard Pharro, APM Group’s CEO, without clarity on data location it will become increasingly difficult to maintain and grow trust in the cloud:

“This latest episode will have revealed a blind spot for cloud users, many of whom remain in the dark about precisely where their data is being stored and who has access to it. Moving data to the cloud can often mean it is hosted in another country and subject to different data laws. Privacy laws are not standardised across Europe, and as we have seen, even countries with quite strict legislation have anti-terrorism laws that can allow governments to access your data. Businesses have the right to know where their sensitive and confidential information is being stored, and what protection and legislation this data is subject to.

“In order to understand the best fit of cloud, it is important that organisations are able to make a practical assessment of the criteria that will help define the options possible. Key to this is knowing the questions to ask your CSP, pertaining to things like data sovereignty, data security, and interoperability, as well as business continuity planning, operational transparency and capability. On balance, and depending on the type of data being stored, businesses may want to seek out jurisdictions with more favourable privacy laws, like France or Germany.”

Pharro pointed to the CIF Code of Practice as a means for end users to sift through reputable suppliers and find a CSP that best suits their needs:

“CSPs that certify against the Code of Practice are required to make public their approach to transparency, capability and accountability, and their data handling practices, including where data is stored. In short, the information that an end user would need to be able to make an informed choice about their CSP that meets their data handling and storage requirements.”