Steelie Neelie: One cloud contract model to rule them all The European Commission is seeking leading lights in the arena of cloud services to help sketch out a contract framework so that customers don't get tied into murky deals. At least, this is the principle that Steelie Neelie Kroes, vice president of the EC outlined in a blog today, ahead of the European Cloud Partnership …
If the company's HQ is in the US, forget it. As a matter of fact, using them for business means you are breaking EU Data Protection laws by default if you have any client information on it (think about this one - still want to use Gmail for business?).
If the company has US subsidiaries, you will need professionals to review the organisation, segmentation and legal model to evaluate the risk exposure (that's the legal and procurement part of what we do for a living, besides examining the security model).
If the company is EU based, you're reasonably OK if you're an EU company or outsource to a EU company. Unless you're in Switzerland or Liechtenstein, which is even more complex. They may talk about taxation agreements, but the Swiss have apparently suddenly remembered they have privacy actually explicitly spelled out in their federal constitution. This is why the secret US agreement suddenly ran into a brick wall - one of the political parties realised that "secret" equalled to "non-democratic" and threw a spanner into the works.
There are in general three main items you need to look at to ensure you can protect your clients and your corporate information. Only one of them is "security"...
"But a report commissioned by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs stated the model contract clauses and binding corporate rules do not prevent US law enforcement agencies accessing that data."
One wonder's whether the Committee on Civil Liberties reads all the papers, the rights of access to data is one that most countries security organisations have (just look at GCHQ) and in many EU countries the controls on such access are often less than those that apply to the US (e.g. Ministerial Orders as opposed to cross party oversight committees).
The reality is that it does not matter where the information is held some govt. is always going to have access to it so we may as well learn to live with it (and make sure we use really strong encryption).
The reality is that it does not matter where the information is held some govt. is always going to have access to it
It depends on how well controlled that access is. If it's pretty much ad hoc because there no longer is any due process (as in the US with all the various laws such as USA PATRIOT Act and FISA), then you are permanently at risk, also because you have no comeback if it goes wrong.
Elsewhere is a bit easier. BTW, really strong crypto is no help in the UK as you can be compelled to open that box or end up in contempt of court (= jail time).
au contraire
using strong crypto means:
a. whoever wants to look at your stuff has to ask you for the key, & you can push for written confirmation of that request;
b. more importantly, because of a. you know that your stuff is being accessed
I'd argue that this makes using the spy laws for commercial advantage a little less likely.
Of course the downside is false confidence if your strong crypto is not as strong as you think it is
I may be naive but would appreciate a PRACTICAL reason for going to cloud data storage.
Are the cost savings that great? And is the security risk that trivial?
I would have thought that most potential cloud customers could "get away" with a decently specced server, thereby retaining control of their data.
I may be naive but would appreciate a PRACTICAL reason for going to cloud data storage.
Are the cost savings that great? And is the security risk that trivial?
I would have thought that most potential cloud customers could "get away" with a decently specced server, thereby retaining control of their data.
Most potential cloud customers look at "The Cloud" as a way of getting rid of all that expensive IT nonsense, like racks and servers and IT staff, which doesn't make them any money.
"One of the big barriers to using cloud computing is a lack of trust," she said. "People don't always understand what they're paying for, and what they can expect."
But is that caused by a lesser degree of competence from these people, or because some Internet based companies can get away with just about everything? Often in the EU, more than often, do you get to see Internet "ghost" firms which will gladly accept your money but won't deliver any services.
And the worst part (though I can only comment on my local situation of Holland): 9 out of 10 cases the police has no or hardly time for cases like this. Especially because it's usually petty theft and resources to trace these culprits would be quite hefty... Over here the latest report surfaced last week: a few Dutch and Belgian people had booked a vacation with an Internet firm, and that firm is now all of a sudden "gone" and so is their money.
So is this about the companies? Or about an, often EU led, government which refuses to give its citizens the protection they're entitled to and basically try to let others deal with all that?
The main cause is that there ARE contracts: it saves providers the trouble of behaving. They became necessary for phones because providers handed out phones for free - bad idea - and needed to recoup the up-front loss. Contracts are not necessary today, you can buy non-tied phones and services.
There is no need for ties, the inconvenience of switching data to another provider should be sufficient to accept switching without restriction as the normal model for data. And no ties means they might listen a bit to their customers.
“Customer and data privacy is one of the single most important things at Amazon,” said Terry Wise, head of global partner ecosystem for Amazon Web Services. “If a U.S. entity is serving us with a legally binding subpoena, we contact our customer and work with that customer to fight the subpoena. We will do that proactively and help the customer in any way to comply with the subpoena or fight it.”
I guess reporting this doesn't suit the agenda of the many El Reg commentators still regurgitating the "Cloud is evil" mantra:
http://www.itworld.com/cloud-computing/361679/amazon-web-services-we-ll-go-court-fight-gov-t-requests-data
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
