I don't get into "the cloud"

28/10/2016

In recent years, people have heard more often about "the cloud": that kind of entity that knows everything that guards .

There are many who are reluctant to use this system because they say they do not feel safe, they mistrust, they lose control over their data …. But then they use an email like Gmail, Hotmail, etc. Gentlemen, ladies, the servers that are used to store our emails, where we put personal data, attached documents and all the things that we know we send by mail, are not managed by us, they are managed by Mr. Google and Mr. Micfosoft ( among others) .

When using data hosting on external servers managed by third parties, you have to know where you are getting into. Not everything goes. It is not worth saving data in the cloud if :

  • The service provider is not known
  • It is unknown if there is a subcontracting of the service
  • The location of the storage servers is not known
  • No known server security measures


Pfff…. But what company is going to give me all that information?


The problem is that the company providing the service must be transparent and clear . The Spanish Data Protection Agency already says so, in its Guide for customers who contract Cloud Computing services :


LACK OF TRANSPARENCY

It is the provider who knows all the details of the service offered. For this reason, we are faced with the need to know what, who, how and where the processing of the data provided to the provider for the provision of the service is carried out . If the latter does not provide clear, precise and complete information on all the elements inherent to the provision, the decision adopted by the controller cannot adequately take into account basic requirements such as the location of the data, the existence of sub-processors, the information access controls or security measures. In this way, it is difficult for the person in charge to assess the risks and establish the appropriate controls .

LACK OF CONTROL

As a consequence of the peculiarities of the processing model in the cloud and in part also of the lack of transparency in the information, the lack of control of the person in charge manifests itself, for example, in the face of the difficulties to know at all times the location of the data, the difficulties in having the data held by the provider or in being able to obtain it in a valid and interoperable format, the obstacles to effective treatment management or, in short, the lack of effective control when defining the substantive elements of the treatment in terms of technical and organizational safeguards.

Extract from the Guide, p. eleven

 

In other words, the client who is going to hire the services of a cloud provider (or cloud), should take into account the security guarantees and transparency that it offers since it will be the responsibility of the client to decide where to host their data. (And especially if what you host is data from third parties, from your clients, workers, etc.).

In summary:

  • You have to be clear that cloud computing / cloud computing / cloud hosting is used when:

 

  • You use an email where the hosting server is managed by a third party (Gmail, Yahoo, Hotmail, your own company domain...)
  • You use document managers where you store documentation (Dropbox, One Drive, Google Drive, company document manager...)
  • Do online backups
  • You use applications and/or programs for the management of your company, human resources , etc. that you have to access from the Internet

  • About the information storage server , it may be that:

 

  • The service provider with whom you have contracted manages the mail hosting server
  • The service provider with whom you have contracted subcontracts the hosting of the emails on a third-party server (and this may in turn subcontract it)
  • The hosting server is owned by you

  • About the information of the server :

 

  • You have to know the location of the server or, at least, know if it is inside or outside the European Union
  • If you are in the United States, you should know if you are adhered to the Privacy Shield
  • You have to know the security measures/certificates that these servers have
  • And if: you have to have a data access contract on behalf of third parties with the service provider

  • On the choice of provider :

 

  • We recommend that you value the transparency of the information provided by the providers when choosing between one or the other, since it is their obligation to provide such information. If it doesn't, why is it?
  • We recommend that you read the Guide for customers who contract Cloud Computing services before deciding on the choice of a provider.




Idaira Hernandez Peraza

Director of Consultants Peraza & Asociados, SL



Photo source: Google Images tagged for reuse