Categories
Articles

ENISA – working out cloud security requirements

ENISA’s new report proposing a “Security Framework for Governmental Clouds” may be more widely useful than its title and explicit scope suggest. Chapter 3 of the report suggests something pretty close to a project plan that any organisation could use to assess which applications and data are appropriate to move to a cloud service, what […]

Categories
Articles

Clouds and the draft Data Protection Regulation

At the moment both cloud computing providers and their business customers in Europe have to deal with at least twenty-eight different interpretations of Data Protection law. And there are nearly as many different national rules and formalities when using non-European cloud providers (the UK approach is described in the Information Commissioner’s Guide to Cloud Computing). […]

Categories
Articles

International transfers within cloud providers

The Article 29 Working Party have published an explanatory document on Binding Corporate Rules for Data Processors, to provide further detail on using the template they published last year. European data protection law requires that any export of personal data from the European Economic Area be covered by adequate measures to protect individuals whose data […]

Categories
Articles

Template for Cloud Privacy Level Agreements

Last year the Article 29 Working Party published an Opinion on Cloud Computing expressing concern at the information available to those considering moving services to the cloud about the protection that cloud services offered for their data. The Cloud Security Alliance have now produced a template for service providers to provide the information that the […]

Categories
Articles

Critical Cloud Computing

ENISA’s Critical Cloud Computing report examines cloud from a Critical Information Infrastructure Protection (CIIP) perspective: what is the impact on society of outages or attacks? The increasing adoption of the cloud model has both benefits and risks. A previous ENISA report noted that the massive scale of cloud providers makes state of the art security […]

Categories
Articles

EU DP Supervisor on Cloud Computing

A new Opinion of the EU Data Protection Supervisor discusses some of the problems in applying the current Data Protection Directive to public cloud services, and how these might be done better under the proposed Data Protection Regulation. Particular challenges include Although the Directive claims to regulate “transfers” of personal data out of the EEA, […]

Categories
Articles

Cloud Computing Security: Benefits and Risks

An interesting presentation by Giles Hogben of ENISA at TERENA’s CSIRT Task Force meeting in Heraklion last week, looking at security issues when moving to the public cloud computing model.There have been several papers on technical issues such as possible leakage of information between different virtual machines running on the same physical hardware (for example […]

Categories
Articles

Information Commissioner Guide to Cloud Computing

The Information Commissioner has published new Guidance on the Use of Cloud Computing for organisations who are, or are considering, using cloud services to process personal data. The benefits of clouds are recognised: these may include “increased security, reliability and resilience for a potentially lower cost”. However cloud customer organisations may also “encounter risks to […]

Categories
Articles

Progress on a European approach to Cloud Computing

The ASPIRE study on the future of National Research and Education Networks calls for European NRENs to work together on a common approach to cloud computing. The European Commission has just published a Cloud Strategy that also seeks a common European approach, noting that “faced with 27 partly diverging national legislative frameworks, it is very […]

Categories
Articles

MoJ Summary of Data Protection Responses

The Ministry of Justice have published a summary of the responses to their consultation on European Data Protection proposals. On the issues we raised around Internet Identifiers, Breach Notification and Cloud Computing there seems to be general agreement with our concerns. No one else seems to have mentioned Incident Response specifically, but there was a […]