As Facebook scandal deepens, data sovereignty is back on Australia’s secure-cloud agenda
- 11 April, 2018 12:42
s the Facebook data sharing scandal ignites concern and an Australian Privacy Commissioner investigation – and sends cofounder and CEO Mark Zuckerberg pleading his case in front of the US Congress – recent efforts by data protection companies to help companies isolate and localise customers’ personally identifiable information (PII) are gaining traction.
Services such as CommandHub’s newly-announced HubDrop – a secure, encrypted online file-sharing service that leverages the PROTECTED-level classification of cloud provider Vault Systems – build on recent efforts to provide domestic cloud services robust and secure enough to be used for even sensitive data.
“Our data is only as safe as the space in which it is kept,” Vault Systems CEO and founder Rupert Taylor-Price said in a statement while launching the service at this week’s ACSC 2018 conference. “Not only does CommandHub’s security solutions add a security, but with Vault Systems ASD certified cloud we can guarantee that the Australian Governments data stays protected on a sovereign cloud under Australian jurisdiction.”
Many businesses wrestled with issues of data sovereignty early on in the lifecycle of cloud services, and many early adopters took public cloud providers’ guarantees about global control at face value. Yet with legislation such as Australia’s notifiable data breach (NDB) scheme and the looming EU GDPR pushing companies to a new level of accountability for their data, better control over that data is back on the menu.
“There are no hard and fast regulations to say that data has to be held within a particular country, but choice, flexibility and control are becoming part of our customers’ requirements for due diligence,” Allan Robertson, Asia-Pacific senior vice president with Intralinks, told CSO Australia.
Tighter regulations have brought new currency to data-control mechanisms including a ‘trust perimeter’ that allows companies to use customer-managed encryption keys to share data and revoke access rights to that data even when it is outside the controls of the company network, Robertson said.
Intralinks this month doubled down on its support for the increasingly popular method of information sharing, establishing a Distributed Content Node in Australia that ensures data stored on its secure cloud won’t leave the country.
“These days the perimeter is no longer the four walls of the office,” Robertson explained. “The way that people are doing business today is virtual, flexible, and global – and the trust perimeter allows them to have this flexibility but still maintain control.”
Some 80 percent of the data stored on Intralinks’ global network is considered to be highly secure, Robertson said, and the Australian presence could well increase that.
Yet as increasingly high-security data makes its way into cloud services, enterprises remain cautious. Microsoft, for one, recently achieved ‘PROTECTED’ certification for its Azure cloud services and Office 365 services – but a companion government Consumer Guide has warned that as-yet-unavailable “additional compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency accreditation and subsequent use of these cloud services”.
Six Australian cloud offerings – including Dimension Data’s Protected Government Cloud, Macquarie Government’s GovZone, Microsoft’s Azure and Office 365, Sliced Tech’s Gov Cloud Package, and Vault Systems’ Gov Cloud Package – have so far been accredited for management of PROTECTED level data on the ASD Certified Cloud Services List.
Yet the promise of secure, cloud-based data storage hit a speed bump this month with the Facebook-Cambridge Analytics scandal – which not only affected an estimated 87 million Facebook users, but potentially exposed data on more than 300,000 Australian users and has turned Facebook into a poster child for the country’s new NDB laws.
Facebook will reportedly be notifying those users that their data may have been improperly accessed – and may face penalties under the Privacy Act.