ICO cloud advice ignores the monster in the shadows

business man afraid of shadow

The Cloud Market Maturity study, a joint effort between the Cloud Security Alliance (CSA) and ISACA, has revealed the major areas where confidence in the cloud is lowest across users in 50 countries.

The third biggest concern was international data privacy, followed by legal issues, contractual lock-in and data ownership/custodial responsibility. That I have focused on points three to six in a top ten list is no accident.

For a start, the Corporate Cloud Computing Trends report from The451's ChangeWave Research, apart from being a mouthful also surveyed more than a thousand business folk and discovered that the most popular use of public cloud services was in the software as a service (SaaS) sector,which should really come as no great surprise, yet it's exactly this kind of public cloud service usage that could cause problems of across-borders data privacy, legal issues and data ownership.

Another document that has been published recently, much to the amusement of anyone with more than a smidgeon of common sense, was a data protection guide for cloud users from the Information Commissioner’s Office (ICO).

Among the items of genuine lunacy suggested is this gem. The ICO advises businesses that, in order to comply with the Data Protection Act (DPA), businesses should have a written contract with their cloud service provider (CSP) that prevents the terms of this 'partnership' from being altered without prior agreement; that way, any potential impact upon DPA provision can be cut off at the pass. Of course, that assumes your CSP caves in to such a contractually-binding agreement - which is about as likely as Jimmy Savile being canonised.

Unlikely and unnecessary, surely? After all, does your business have such a written contract with any other software licence provider? I seriously doubt it. Serious doubt also sums up my sentiments when it comes to the chances of, say, Amazon or Google or Microsoft capitulating to such a demand. If these big players did so they would be crippling their ability to operate their own business, and that's not going to happen. Bottom line: they would rather lose your business than risk damaging theirs.

But there is a serious point mixed up in all this somewhere, namely the one that addresses how you overcome the small problem of ensuring your business can keep track of its data usage within public cloud services. I have heard it compared to the unregulated use of corporate email a decade or more ago, and we all know the problems that created when the time came to produce email evidence in court...

Barry Murphy, a principal analyst at the eDiscovery Journal Group, has warned that unless there are some checks put on SaaS usage then enterprises will find themselves arriving at a point where data is being stored across multiple CSP data centres and is financially, let alone logistically, prohibitive to retrieve in the event of litigation.

Ed Macnair, CEO of cloud application security outfit SaaSID, says that the problem is compounded when there are multiple instances of SaaS apps being used within an organisation without the awareness or sanction of the IT department.

Both Barry and Ed are right, of course, and the answer would seem to lay not in fantasy-contract-land as the ICO suggests but rather in the very real world of good business practice and policy.

Before entering into an agreement with a CSP you need to know, and be happy with, what the vendor policy regarding e-discovery is and how that applies to your own corporate requirement. This is well within the remit of service level agreement negotiation I would have thought. Then there's the small matter of your own fantasy contracts with your staff, also known as acceptable use policy, which should establish how the company deals with what I have come to call Shadow IT but you probably know as the BYOD debate.

I call it Shadow IT as that's exactly what it is, and where it exists: in the shadows. You kind of know it's being used but unless you illuminate that usage through a combination of policy and enforcement, you won't know where until it leaps out and bites you firmly on the bum during times of legal stress.

The mixture of a consumer cloud and this shadow IT has created a monster that needs to be chained down, that's for sure. Here's hoping the ICO will release some revised advice soon, removing the fantasy contract spell casting approach, replacing it with a way to handle this monster.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.