Do not use “The Cloud” for sensitive data, European Union warns members

ENISA report warns that complex data regulations mean that cloud computing services are unsuitable for government use

by Michael Smith (Veshengro)

The European Union has warned that data handling regulations could be holding up governments' adoption of cloud computing.

A report published by the European Union's “European Network and Information Security Agency” (ENISA) has warned that, at present, government agencies in the EU bloc should only deploy cloud services for applications that do not process sensitive data.

Data handling legislation in some EU states prevent certain data types from being taken out of their respective national borders. This would cause problems in the case of public clouds, ENISA says, as providers' data centres may be elsewhere, such as in the US, and thus, theoretically and practically, under the jurisdictional of a foreign, though, maybe, not necessarily, hostile, government.

The ENISA document highlights further hurdles to adoption: “Cloud computing presents some additional challenges,” it continues. “For example, understanding the shift in the balance of responsibility and accountability for key functions such as governance and control over data and IT operations, ensuring compliance with laws and regulations, and, in some instances, the poor quality of Internet connectivity in some areas of the EU.”

The report suggests that state governments explore “whether current legal frameworks can be changed to facilitate the communication, treatment and storage of data outside national territory”.

ENISA says that so-called private clouds are currently the most viable option for public sector bodies “since they offer the highest level of governance, control and visibility”. Private clouds deliver services and infrastructure in highly virtualized form from an organisation's own data centre. This approach is exemplified by the UK government's proposed G-Cloud project, although the future of that initiative is uncertain following the departure of government CIO John Suffolk not so long ago.

The European Union is currently reviewing its Data Protection Directive, which forms the basis of data protection law in all member states, including the UK's Data Protection Act.

In November 2010, it published a document of proposed amendments, and these included reviewing the way data exchange between countries is governed.

The UK's former information commissioner Richard Thomas welcomed the EU's decision to review the directive, but remarked that “there is still a long way to go to draft balanced laws which will work in practice when so much personal information can flow so easily around cyberspace with no regard to national boundaries”.

The point that I have made again and again as to the cloud is that the data no longer is entirely yours and, especially when considering the laws in other countries where the data then may be held, which could mean that the provider must allow government agencies access to all material stored on its servers, and that also means your data.

On a private level this, to me, is bad enough but when it comes to the data that governments may place in cyberspace in this manner then things become a lot more sensitive.

My personal anti towards the cloud simply was that, for personal use, providers such as Google, etc., had clauses in the small print of the EULA that stated that by placing my data into their cloud I was transferring my copyright to them (or sharing copyright with them), implying that they had the right to use my material or parts of it in any way that they wished.

Sorry, folks, but my copyright is my copyright and I am not sharing it with Google, et al, and therefore I will retain the data right here where I am, thanks. Maybe government should do the very same or have their own, private cloud provisions, totally controlled by them.

However, having seen the virtual desktops and all this that have recently been installed in local government computers all I can say is, “G-d help us”! Nothing, but absolutely nothing, is working and if it does it takes ten times longer than it did before the virtualization. Time for e rethink, methinks.

© 2011