Once the Protection of Personal Information Bill (PPI) is enacted, organisations could be held liable for not adequately protecting personal data hosted in the cloud.
This is according to Claus Tepper, an information security specialist from the IQ Business Group, who claims local information security regulations could deter companies from implementing a cloud strategy.
He advises South African companies to proceed with caution when contemplating a cloud migration or deployment. “The challenge facing any organisation is data ownership and data security. No matter where an organisation decides on storing the data, they are ultimately responsible for the protection and processing [of that data].”
According to Tepper, organisations which choose to host data in the cloud must ensure the requirements of the PPI Bill are covered in a commercial contract between themselves and the cloud service provider.
Tepper says once the PPI Bill is enacted, organisations must be certain that the country where their data is stored has similar data privacy laws or provisions governing the cloud service providers. He explains that the challenge is that cloud service providers are often hesitant to disclose information around their security policies and controls as well as location of physical data centres.
“Regulators locally and in foreign countries may, under certain circumstances, require cloud service providers to decrypt data for inspection and/or it may be seized, including the physical equipment, if required. Being a platform of multi-tenancy, organisations must be aware of this and plan accordingly.”
Hosting data in the cloud means organisations lose some control over their data, such as physical storage. Tepper indicates this could result in more companies choosing to have their sensitive data hosted internally, rather than in the cloud. “The ultimate responsibility still remains with the organisation that acquired the data from the subject and defined the purpose of the data.”
Information Security Group of Africa founder and chairman, Craig Rosewarne, says the PPI Bill dictates accountability of business data must sit with the corporate that owns the data. He adds that customers of cloud services would still need to verify the data stored in the cloud.
“Many companies still do not feel comfortable with moving their data to the cloud. However, a lot of companies are using the cloud for components of their business. Core marketing and sales operations use cloud applications such as Salesforce for CRM-type information,” notes Rosewarne.
Gartner estimates the global market for cloud services currently totals $46 billion and is projected to reach $150 billion by 2013. Spending on public cloud services is growing six times faster than IT spending. By 2014, the total market for public cloud services will be $56 billion, according to the research firm.
Share