Navigating the cloud security minefield

Fears around cloud security can be eased if you create a contingency plan and familarise yourself with legislation in Australia and overseas

Cloud could well be an IT executive’s dream come true – a chance to reduce costs and potentially free up money for other IT projects.

However, getting through the minefield of fear, uncertainty and doubt (FUD) from various quarters about cloud security can be eased by creating a contingency plan and being aware of legislation in Australia and overseas.

For Corrs Chambers Westgarth Lawyers senior associate, Johanna O’Rourke – who specialises in ICT law – having a plan in place means that security and litigation problems can be minimised before an organisation's data gets compromised or executives have to defend the company in court.

Speaking at the IDC Cloud Conference in Sydney, O’Rourke told delegates that organisations are required to retain large amounts of electronic information, which is essential for day to day operations.

In depth: Avoiding negilgence claims online

“As chief information officers move data into the cloud this means that they need to give up control of the data and this is where legal issues can occur,” she says.

For example, the company could be faced with the risk of improper disclosure, reputational damage, litigation by third parties in the advent of data breaches and prosecution by regulators such as the Australian government's Office of the Information Commissioner.

“The Australian Privacy Commissioner, Timothy Pilgrim, is not afraid to investigate data breaches and make statements in relation to them,” she warns.

For example, the Commissioner investigated the April 2011 data breach of Sony’s PlayStation Network where 77 million customer accounts were compromised.

According to O’Rourke, the incident happened between 17 and 19 of April 2011. However, Sony did not announce the data breach had occurred until 26 April.

“While the Commissioner found there had been no breach of the Privacy Act, he did have concerns that it took Sony 10 days to notify account holders that their data had been compromised,” she says.

Privacy Act

When it comes to regulation, O’Rourke points out that the Australian <i>Privacy Act 1988</i> does not address cloud computing so it is a matter of applying existing privacy laws to the technology.

“In the cloud computing context, the Act applies to Australian companies that are collecting data in Australia and storing this data either onshore or offshore,” she says.

“It also applies to foreign companies that are conducting business in Australia that store the data here before shifting it overseas.”

However, the Act does not apply to overseas enterprises where they have not collected that data in Australia.

“The reason I have laboured this point is because many of the cloud providers will not actually be bound by the Privacy Act,” she says.

According to O’Rourke, many cloud service providers do not have an office within Australia. As a result, there are no servers, or data, located here.

However, Australian companies using the overseas cloud providers' services are still bound by the Act. As a result, extra protections need to be introduced into contracts with these providers should the company decide to transfer personal information into the cloud.

“The relevant principles which apply under the Privacy Act to cloud computing is NPP4, which talks about data security and a requirement to maintain that data,” she says.

“The other principle is NPP9, which covers transporter data flows. The reason it’s relevant is that in a cloud environment, you are unable to transfer that data unless you’ve received the consent of the person whose personal information you have or it’s been transported to a jurisdiction that has similar laws to the Privacy Act,” she says.

According to O’Rourke, the European Union privacy laws are considered to be similar but US privacy laws and Singapore laws are not recognised by the Australian Privacy Commissioner.

Turning to the <i>Privacy Amendment Bill 2012</i>, one major change which IT executives should take note of is in relation to cross border disclosure.

“Under the new laws the organisaiton that transfers the data will remain liable in the advent of a security breach,” she says.

This means strict liability so if the company’s cloud provider has a data breach the company executives are liable.

“You’re going to want protections in your contract to make sure that you have the ability to recover in the advent that something happens,” she says.

“That’s a worst case scenario so you want to be doing the due diligence on the provider to make sure that they are doing what they can to ensure it is a secure environment and that you don’t even get to the point of data security breaches.”

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts