Session Title | Safeguarding National Interests in The Future Of Cloud Computing
The objective of this paper is to understand the challenges faced by cloud service adopters and cloud service providers under the Data Localization approach. This is primarily due to the differences in regulations and prevailing data security obligations in different geographies. Countries are facing limitations in establishing accountability between cloud service users and cloud services providers with respect to data security and privacy regulations. Each country has drafted its own legal framework for information security in cloud. Users operating in multiple countries have to comply with all the local legal and regulatory compliances and laws.
The role played by cloud service providers in providing the infrastructure and the synergy required between all stakeholders will be looked at in brief. Approaches that can alleviate the adoption hinderances and methods to provide a unified platform to facilitate Data Localization have been discusse
Cloud computing provides geographically boundary-less access to data and its related data operations to enable organisations world over to function in a seamless manner. While technology innovations and advancements are the foundational bed rocks in establishing digitisation and futuristic advancements, it does create a doubt in the mind with respect to data privacy and its intended access and protection. Especially, with more government agencies and data handlers moving towards cloud computing, a lot of sensitive and confidential user information is available online. The most common user data types are: personally identifiable information such as health information, religious and financial transaction data. There are multiple regulatory and privacy acts governing the handling and protection of data but with the introduction of cloud computing the ownership and control of data still remains ambiguous.
Let us assume that a company operating in UAE is utilising cloud services for its computational needs and the servers are hosted in India(offshore). Now if a cloud user wants to bring charges against a service provider due to a data breach or failure of service, then what should the approach be? Does they consider UAE laws and regulations as the data is created there or consider the laws of India where data is being stored? In either case, outside the scope of contractual rights mentioned in the service agreement, there is limited applicability and may prove to be ineffective.
Also, if the cloud user in the UAE sues for indemnity or loss through damages, then as per UAE Civil Code(Number 5 of 1985), the cloud user will have to prove the value of loss and this might be easily possible. Also, the UAE Federal Law number 2 of 2006 concerning cyber crimes focusses on the criminal actions of a hacker with malicious intent but does not address the claims for loss that a cloud user may charge against a faulty cloud provider, especially if the cloud service provider is operating in another country.
Governments and national regulators in the GCC countries depend on Data localisation concept to retain control and regulate the protection controls. Data localization law requires that businesses that operate using cloud computing needs to store and process their data using the servers located within the country and cannot transfer it overseas. If companies want to store end user information on servers hosted abroad, then exclusive consent must be taken from end users and can be stored only for the agreed period of duration.Companies not following data localisation can attract legal and financial fines and can be disbarred from operations.
Through data localization, regulators will be better positioned to lay down the guidelines for:
1) minimum data security and control measures to ensure protection
2) accountability of user data - Cloud provider and data handler
3) data jurisdiction - applicable regional legal and privacy policies and laws
For example, in the UAE, processing of personal data may be subjected to the Penal Code prohibition, on the disclosure without the consent of the end-user to whom the information relates. For Dubai international Financial Centre (DIFC) and Dubai Health Care City (DHCC) entities which process both personal and sensitive personal information, GDPR style data protection regulations would apply along with explicit consent to transfer data into another jurisdiction. Best practises including technology and process controls would have to be used to ensure data privacy and security.
More recently, the Cyberspace Administration of China opened its “Security Assessment for Personal Information and Important Data Transmitted outside of China” for public comments. This effort indicates the growing concern among developing and developed countries in establishing data localisation and in maintaining a protocol for businesses operating and collecting personal data in the country. The idea was to provide a framework to determine accountability in case of a security breach or data leak. Though responsibility cannot be marked in black-white regarding the relations between a cloud service provider and cloud user, the service agreement and regional data hosting stipulations can help maintain perspective.
What does it mean for Cloud Service Providers and market players?
For cloud computing providers, this opens out a plethora of operational, legal and business challenges.
Operational - Cloud providers will have to setup local installations inline with Data localization policy of that country and also ensure adequate data protections measures. This might also increase the operational overload as they cannot setup a single centralised distribution method. Centralisation which has been the single biggest attractive feature of cloud computing will be decentralised to some extent to offer services in each region.
Financial - The increased cost in installation and maintenance of multiple data hosting centres leads to increased cloud computing costs for the cloud service providers. The resources (manpower and hardware) will have to be duplicated many times for maintaining high redundancy, availability and security.
Legal - With each country having its own data localization requirements and record retention obligations( financial, legal, etc), cloud service provider is obligated to adhere to all of the local regulations and governance practices. The policy makers and information security governance team do not always work with the same goal in mind and hence the requirements can vary in each applicable case.
Cloud users depend on cloud service providers to address their digitisation needs and to reach international markets at low costs. With the intent of data localization in place, there is limit to which they can use the data collected from one region for their global business model. The following points have to be considered by every cloud user when engaging with a cloud service provider,
Data location - Users have to be cognizant of the local laws governing data privacy, data collection and transfer within the various GCC countries. Care should be taken especially while transferring data across regions to ensure adherence to local regulations.
Data Retention Obligations - Companies operating in the GCC countries such as the UAE have clear retention regulations such as the Federal law number 18 of 1993 Commercial Transactions Law, which dictates that organizations under the Electronic commerce and Transactions law may maintain the records in electronic form for the intended retention period. However, when working with a cloud service provider, the company must ensure that the cloud service provider implements sufficient protection mechanisms and controls to ensure continuity and not lead to failure to comply.
Data Ownership - Cloud users will usually be responsible for the data that they generate and handle. Any information that the cloud service provider creates in relation to the cloud user, will have to be clearly documented in the service contract to describe data ownership and the nature of relationship.
Thus, Data localization adds an additional burden on both the cloud service provider and cloud user at the cost of maintaining governance. While the cost for small companies can justify the ‘governance vs data localization’ ratio, it could be nightmarish for a multi-national company operating globally in different regions. The overhead involved in setting up localized data network can far outweigh the advantages. The legal and regulatory scenario guiding data privacy is also heavily fragmented and does not have a common ground. Take GCC for example, there is no central data privacy regulation or central law governing cloud information security. The same applies to the legal and regulatory governing as well.
Most countries in the GCC have adapted their existing Information Security approach and policies to suit Cloud Computing scene. In an on-going effort towards attaining maturity in process, countries and regulators are engaging with the market players on a continuous and periodic basis.
A document release by Saudi Arabia’s Communications and Information Technology Commission (CITC) called for public comments on cloud computing in early 2016. The draft states that “User Content” (defined as any data or information generated or provided under a contract with Cloud service provider) will be subject to different levels of data security based on the sensitivity of information, source of information, etc. It is proposed that no “Level 3” User content can be transferred to outside of Saudi Arabia for whatever purpose or in whatever format or “Level 4” content concerning highly sensitive or secret content belonging to government entities. While “Level 4” content governance makes reasonable logic, the “level 3” is very broadly defined and does not define what is classified as “Sensitive” content. Does “Level 3” information security apply to government authorities and agencies only? Or does it apply to corporates and non-governmental data handlers as w
Now, let us consider the information security controls suggested for Cloud Computing in the UAE. The National Electronic Security Authority
(NESA) has developed the “UAE Information Assurance Standards (IAS)”. The adherence and applicability with IAS standard is made mandatory only for UAE government entities and those identified as critical. Though NESA recommends that all entities who may not be subject to IAS requirements to also adopt them as best practise, there is no legal obligation to comply.
1) Unified Approach - Like the prevailing GDPR governing data privacy of European Citizens, there should be a unified data security standard and framework to guide and drive information security within Cloud Computing. Clear sections will have to be dedicated to dictate the roles, responsibilities and accountabilities of both the Cloud User and the Cloud Service Provider. Cloud Computing is here to stay and with increased percentage of business models moving over from the traditional infrastructure to cloud services or MSSP, focus must be provided in developing the information security framework regarding acceptable usage. A central, neutral governing council, transcending regional entities, has to be created to oversee the creation of the common framework. The council must elicit participation and coordination between CEMEA, ASEAN, SAARC, etc to create a forum for knowledge exchange and to formulate a central set of policies and information security principles for Cloud Computing.
2) Setting up of Data Embassies - Just like the traditional meaning to the word “Embassy”, Cloud service providers should set up regional groupings in each region with adherence to local regulations incorporated. We will term these as “Data Embassies”. Each “Data Embassy” will have a set of pre-defined requirements, as defined by the Cloud Service Provider in accordance to the regional laws and regulations. Cloud Service Provider has to then highlight the set of requirements required to complied with by the Cloud User to transfer data between “Data Embassies” in a compliant fashion. Care should be taken to include consent mechanism in the business process as this will prove quintessential to this model.
For example, a “Data Embassy” can be setup for the all participating countries of GCC. They will be guided by a framework of guidelines and all cloud users can utilise the data services. Now care must be taken regarding the laws and regulations that the data will be subject to. The data created and maintained by a organisation or entity based out of Kuwait, should have the laws of kuwait applicable to it and should not be conflicted with the laws of Qatar or Bahrain, which could be a part of the Data Embassy.
By providing a unified platform on top of which local regulations can be applied at Cloud user level, data centres can cater to a much larger audience base and reduce their costs. “Data Embassies” have to be governed through increased data jurisdiction with clear outlining of the data collection and transmission process. By establishing a compliant platform, a cloud service provider can provide the assurance needed by the cloud user to comply with the local regulations and laws applicable. This customer centric approach can build the stage for a Cloud Computing resurgence undeterred by Data Localization.
3) Establish Governance Council - All the key stake holders, policy/law makers, governance regulators and Cloud service providers in the region have to be identified and should be brought together to create a consortium. For example, SAARC consortium would have representatives from each participating nations such as India, Sri Lanka, Bangladesh, Pakistan, Nepal, The Maldives, Afghanistan and Bhutan. The presence of a consortium will ensure that technology advancers and policy makers can come together and create a central framework. They can establish a free dialogue and discussions with the other participating members to regularise the framework and present a unified approach. Similarly, consortiums can be setup for CEMEA, APAC, US and Central and Western Europe. The inter-communication between all the consortiums can give raise to a standard approach and global adoption.
The consortium and panel of experts will prepare and present the framework to address data localization issues, as well as the common best practises involving Data security and privacy. The maturity of such an framework will depend upon the initiative from participant members and their cooperation to setup a boundary less cloud computing platform. The cloud users and data controllers/handlers can benefit immensely from this scenario and the cost of computing can be significantly reduced for the Cloud Service Providers.
Cloud Computing is here to stay and will be the new norm for organizations world over. Data localization is the way established by regulators and governing bodies to protect and monitor the data security and privacy. Cloud Service Providers and cloud users have a shared responsibility and accountability towards data protection of its end users. More maturity is needed in the governance process and has to have a central council (constituted by key stakeholders like governing bodies, govt. entities involved in law making, judiciary, technology and compliance governance bodies, to name a few) to direct and drive the players involved in cloud computing."
An cyber security enthusiast with avid interest in the field of Cloud computing, compliance consulting and information security. With strong association to Information Technology for the last 13 years, he has recently taken over as the Regional manager of Business development and strategy for Crossbow Labs in the CEMEA region and works out of Dubai, UAE. Began his career in Infosys as a technology associate working in Core Banking and moved on to become a business associate dealing with Oracle ERP R12 suite, post his Masters in management. Currently engaged with the information security domain and has ISO 27001 Lead auditor and AWS cloud training to his credit.