A metaphorical bookend to the week, a group of industry heavyweights released a set of security and privacy principles around protecting cloud data they have asked governments around the world to consider and embrace.
The Trusted Cloud Principles came on the heels of the Tuesday launch by the Enterprise Data Management (EDM) Council of a framework for managing data in the cloud.
Along with the major cloud providers, such as Amazon Web Services, Google Cloud, IBM, and Microsoft, this group was a bit broader than the one headed up by the EDM Council in that it reportedly included Atlassian, Cisco, Salesforce, and SAP.
The five broad-based security and privacy principles posted on the group’s website include the following:
- Engage customers first. Governments should seek data directly from enterprise customers as opposed to cloud service providers other than in exceptional circumstances.
- Right to notice. When governments seek to access customer data directly from a cloud service provider, customers of the provider should have a right to advance notice of government access to their data, which only can be delayed in exceptional circumstances.
- Cloud providers should have a way to protect their customers. The industry should develop a clear process for cloud service providers to challenge government access requests for customer data, including notifying relevant data protection authorities.
- Governments should address potential legal conflicts. Governments should create ways to raise and resolve conflicts with each other so that a cloud service provider’s legal compliance in one country does not amount to a violation of law in another.
- Support for cross-border data flows. Governments should support the cross-border flow of data as an engine of innovation, efficiency, and security, and avoid data residency requirements.
The Trusted Cloud Principles offer a great framework for organizations seeking a serious solution to protect user data, said Saryu Nayyar, CEO at Gurucul. However, Nayyar said organizations have to back up the framework with actionable steps to ensure that data cannot easily be stolen and used.
“Organizations have to practice this level of protection, and users have to trust it,” Nayyar said. “That’s the only way users can feel that their privacy data is ultimately safe. We want our data, especially personal data, to be effectively shielded from theft and illicit viewing. Online, that’s easier said than done, as private data can easily turn into public data.”
Sounil Yu, chief information security officer at JupiterOne, said achieving and maintaining compliance with security and privacy takes hard work. It becomes even harder when rules are contradictory across borders.
“Software-driven security governance will get us far in keeping track of these rules and maintaining adherence to them, but ultimately, governments need to get their act together and work out their differences for the benefit of society and industry as a whole,” said Yu.
Oliver Tavakoli, CTO at Vectra, said this set of principles broadly seeks to create a framework for the cloud-centric tech sector to engage governments across the world in dialogue regarding laws governing data held within their cloud platforms.
“It’s a noble pursuit — particularly as it recognizes a notion of international human rights law — and it is also a long-term play,” Tavakoli said. “The amount of consistent effort that the signatories put into this over the coming years will ultimately determine success or failure of such an endeavor.”
Doug Cahill, vice president of analyst services and a senior analyst at the Enterprise Strategy Group, said public cloud footprints and cloud-native applications are becoming increasingly business-critical. But with 88% of ESG research respondents saying that their organizations need to evolve their cybersecurity programs to secure their use of the cloud, the industry clearly has some work ahead.
“Establishing trusted cloud principles will provide enterprises a framework within which they can update their cybersecurity programs to secure their cloud footprint,” Cahill said.
Some were not as optimistic, but wish the new group well.
“These are lofty aspirations that fly in the face of several tech organizations that have bent over backwards to work with authoritarian regimes like China,” said Bill Lawrence, CISO at SecurityGate. “While I applaud and would support their efforts, there are fewer governments that respect international law or personal data privacy these days. Best of luck gaining momentum.”
