Recently, in November actually, a “news and opinion” site for UK IT users known asTechWeekEurope lodged a Freedom of Information request with the Cabinet Office that revealed that neither Amazon Web Services (AWS) nor Google were selected to be part of a program known as G-Cloud II. This program has been set up by the government of the UK to “deliver fundamental changes in the way the public sector procures and operates Information and Communications Technology (ICT)”. Basically what that means is if you're a public sector entity in the UK, and you want to use “cloud services,” you have to use suppliers that are in the G-Cloud Program. (Yes I know it's actually Programme in the UK but I'm not British, capisce?)
At this point you might be asking yourself, “I'm not a public sector entity in the UK so why do I care about the G-Cloud Program?” Well, dear reader, I'm glad you asked, because if you hadn't I would have had no reason to write this article and then my handlers would have been very upset with me. While there isn't any official version as to why companies as big and established in the cloud computing space as AWS and Google weren't allowed into the program, some have opined that they just weren't “ready” due to some concerns around how and where information is stored in both of these services.
It's quite simple to prove that your company's information is currently located on a virtual instance of a server in a “local” data center (e.g .Amazon East). It's another thing entirely to know where Amazon might store that data as part of their business processes.
I want to make it clear that this is not only an AWS or Google issue but a more general issue with any and all Cloud Service Providers (CSP). It is in fact one of the most important questions you can ask your potential CSP; WHERE is my data located when it is “in use” and WHERE is my data located when it is “stored”. The answers to BOTH of these questions are crucial for any company that might have complex requirements about how their information is stored and secured. And, I have news for you, if you have ANY type of information that you store it's almost guaranteed that your requirements for storage of that data are complex.
Are you in the “medical” industry? Then HIPAA applies;
Banking or finance? GLBA, PCI, et. al.;
Not in either of those but interact directly with the public? What about the Personally
Identifiable Information (PII) of those you interact with that you might store? Are you aware that almost every state in the nation, as well as almost every country, have privacy laws in place to protect such information, and that they are all different and that different information might be considered not applicable by one set of laws or mandates but are in scope for another?
Like I said, complex. But, complex does not have to be complicated. What it boils down to is that it is YOUR responsibility to ensure the protection of the information that you are putting “in the cloud”.
The first steps toward living up to your responsibility are to
1) Identify and catalog all of the information that your company logs, requests, generates, etc. that might be considered protected or PII or otherwise “in-scope”
2) Identify which laws, mandates, jurisdictions, etc. your company might fall under
3) Ask your CSP how and where that information is stored and secured
4) Determine if the answers are sufficient to meet compliance requirements identified in number 2) above.
Bonus Tip: Whenever possible don't collect data that isn't absolutely essential (see my previous article about the dangers of Retained Sensitive Data).
Master Class: Whenever possible encrypt your data BEFORE you transfer it “to the cloud”.