Cloud services in all forms are modern today. In the cloud we find hosting servers, services and even malicious software. Nevertheless, it is necessary to be aware that the “cloud” is not necessarily omnipotent, and above all, not necessarily consistent.
Author: Primož Govekar
In general, smaller companies that did not want or could not afford suitable information and communication technology experts quickly realized that they could store data outside their server environments and thus transfer the risks – especially for data loss – to external providers, counting that nothing essential can happen.
The weakness of the above thinking has been demonstrated by recent events, when a fire at the OVH server center suspended 3.6 million websites for some time, and some users lost all data permanently.
In the following, we must not forget that the risk of data loss (breach of availability) is only one of the risks that need to be considered. The other two groups of risks, which arise from the very aspects of information security and which companies should take into account when establishing any data storage system, are the risks of disclosure (loss of confidentiality) and falsification (loss of integrity) of information or personal data.
The fourth group of risks is related to compliance. If we process personal data at an external provider, it is, of course, first of all compliance with the GDPR and sectoral practice. In the area of compliance, an important judgment of the Court of Justice of the EU was passed last July, annulling the privacy shield, making it very difficult to roam with providers who have their centers in the US or originate in the US and EU) committed to complying with US regulations.
Ask yourself at least four questions before renting
So it is not enough for a company to just rent a space from a provider and “all the problems are solved”. The decision to rent the space is the last step in ensuring compliance and protection of personal data and the company must first consider at least:
- What information will we process at an external provider and what is the risk for the company of violating an individual aspect of information security?
- How will the information be protected at the provider’s service?
- How and where will we provide a backup of the information to be hosted by the provider?
- If you process personal data from a non-EEC provider, how will the company ensure compliance with sectoral regulations (GDPR…)?
With the first question, the general rule is less is more. The less information there is on the provider’s service, the less damage the company is likely to cause in the event of misuse.
If you are not hosting the entire space or physical cabinet, it is quite likely that the provider will technically have access to your (virtual) disk and consequently all the data. Of course, the data on the disk can also be locked, and in doing so, it is important to know who actually has the key to unlock it.
Recent experience with OVH has shown that a backup located only at the provider will not be enough. Consider variants, following the 3-2-1 rule and estimates of how long you want to restore the operative condition after a possible adverse event.
Compliance also requires knowledge of the practice and current situation of personal data processing. Apparently, Amazon AWS and the Doctolib platform even managed to convince the French administrative court that the processing was not contrary to the Schrems II decision, but this took into account the rather harsh conditions that ordinary anti-AWS companies find difficult to achieve.
There are, of course, many more questions as well as possible answers when setting up hosting. Depending on the type of information, the company is also likely to need an external expert to assess the risks and ensure adequate protection of personal data. You will not miss too much if the expert has proven and with many years of experience mastered IT, the ISO 27001 standard, as well as the extension of this standard in the field of GDPR and GDPR itself. It will be even better if it is backed by the entire team and a nationally recognized professional qualification, such as that carried out by Info House.
It would be wrong, on the basis of the above, to consider that the clouds should be avoided at all costs and use only their own server services, as the latter are not perfect either. But more on that some other time. (PR)