Cloud-Computing Safeguards Said to be Hindered by Communication Gap Between Technologists, Lawyers
Privacy and security efforts in the “cloud” may be hampered by a gap between information technology and the law over what cloud computing is, a Microsoft executive said Thursday at a Council of Europe conference on cybercrime. Many of the issues in cloud computing are the same as for the Internet in general, said Roger Halbheer, the company’s chief security adviser for Europe, the Middle East and Africa. Several speakers stressed the need for global agreement on dealing with the problems.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Cloud computing is about “computing becoming a utility,” like electricity and water, said Jim Reavis, the Cloud Security Alliance’s executive director. The cloud has layers -- software, platforms and infrastructure -- each presenting a different context for user control over data, he said. As customers’ information is mixed in the cloud, new risks are created, Reavis said. Threats include the use of cloud computing for misdeeds, malicious insiders, insecure application programming interfaces and data loss or leakage, he said.
Some organizations -- fearing security and privacy issues in public clouds such as those of Google and Microsoft -- are choosing to create their own systems, Reavis said. But in the long run, maintaining a large number of private clouds will create interoperability problems, he said. He predicted the emergence of “virtual private clouds” hosted by large public providers.
Cloud computing inflames data-protection worries, said Yves Poullet, the director of an IT and law center at the University of Namur, Belgium. Whether a cloud user has privacy depends on who the cloud operator is, where its servers are and what the laws are in the country where the information is stored, he said.
The legal issues vary depending on whether a cloud customer is a government, a company or an individual, Poullet said. People want to know that they can control the circulation of their data and what will happen to the information when they die, he said. Companies need to know that their business secrets and personal data about customers won’t be leaked, Poullet said. Whether a government can control information stored outside its borders raises sovereignty issues, Poullet said. Questions remain about the application of EU data-privacy laws, he said.
Accessing data in the cloud is a headache for law enforcement, said Alexander Seger, who runs the CoE economic crime division of the human rights and legal affairs directorate. Procedures valid within a jurisdiction may not work if the data is hosted abroad, and mechanisms for cross-border cooperation aren’t particularly efficient, he said. It’s not clear whether police agencies can have direct access to cloud data without cooperation from the hosting country or whether access is possible without the collaboration of ISPs and cloud computing providers, he said. Data-protection standards trusted around the world are needed to deal with the challenges of cloud computing, he said.
A pragmatic approach should be taken to the legal problems, said Christian Aghroum, the head of the French Interior Ministry’s National Unit for Countering Cybercrime. Cloud computing is of concern because it doesn’t respect borders, he said. Many efforts have been made to counter online criminal syndicates, but there’s no clear international dimension to combating cybercrime in the age of cloud computing, he said.
This is a new challenge, but probably not the last one, said President Francesco Pizetti of the Italian Data Protection Authority. He called for strong, clear international rules, increased cooperation among law enforcement bodies in Europe, and bilateral agreements with non-EU governments on data protection.
Cloud computing isn’t a new technology but a new business model, said Udo Helmbrecht, the European Network and Information Security Agency’s executive director. It offers improved scalability, reduced prices, increased flexibility, the benefits of standardization and market competition, he said. But it also carries risks about where data is and who’s handling it, whether information is locked in or can be shifted to another provider and how much control users have over their information, he said. ENISA wants cloud computing providers to be required to tell their customers of data-security breaches, he said.
The technical issues of cloud computing are solvable, Halbheer said. He recommended that businesses use public clouds, despite concerns that their data could be seized under the U.S. Patriot Act and similar laws. Governments that handle sensitive personal data, however, should use private clouds within their own borders, he said.