I don't get into "the cloud"

28/10/2016

In recent years, people have heard more often about "the cloud": that kind of entity that knows everything that guards .

There are many who are reluctant to use this system because they say they do not feel safe, they mistrust, they lose control over their data …. But then they use an email like Gmail, Hotmail, etc. Gentlemen, ladies, the servers that are used to store our emails, where we put personal data, attached documents and all the things that we know we send by mail, are not managed by us, they are managed by Mr. Google and Mr. Micfosoft ( among others) .

When using data hosting on external servers managed by third parties, you have to know where you are getting into. Not everything goes. It is not worth saving data in the cloud if :

The service provider is not known
It is unknown if there is a subcontracting of the service
The location of the storage servers is not known
No known server security measures

Pfff…. But what company is going to give me all that information?

The problem is that the company providing the service must be transparent and clear . The Spanish Data Protection Agency already says so, in its Guide for customers who contract Cloud Computing services :

LACK OF TRANSPARENCY

It is the provider who knows all the details of the service offered. For this reason, we are faced with the need to know what, who, how and where the processing of the data provided to the provider for the provision of the service is carried out . If the latter does not provide clear, precise and complete information on all the elements inherent to the provision, the decision adopted by the controller cannot adequately take into account basic requirements such as the location of the data, the existence of sub-processors, the information access controls or security measures. In this way, it is difficult for the person in charge to assess the risks and establish the appropriate controls .

LACK OF CONTROL

As a consequence of the peculiarities of the processing model in the cloud and in part also of the lack of transparency in the information, the lack of control of the person in charge manifests itself, for example, in the face of the difficulties to know at all times the location of the data, the difficulties in having the data held by the provider or in being able to obtain it in a valid and interoperable format, the obstacles to effective treatment management or, in short, the lack of effective control when defining the substantive elements of the treatment in terms of technical and organizational safeguards.

Extract from the Guide, p. eleven

In other words, the client who is going to hire the services of a cloud provider (or cloud), should take into account the security guarantees and transparency that it offers since it will be the responsibility of the client to decide where to host their data. (And especially if what you host is data from third parties, from your clients, workers, etc.).

In summary:

You have to be clear that cloud computing / cloud computing / cloud hosting is used when:

You use an email where the hosting server is managed by a third party (Gmail, Yahoo, Hotmail, your own company domain...)
You use document managers where you store documentation (Dropbox, One Drive, Google Drive, company document manager...)
Do online backups
You use applications and/or programs for the management of your company, human resources , etc. that you have to access from the Internet

About the information storage server , it may be that:

The service provider with whom you have contracted manages the mail hosting server
The service provider with whom you have contracted subcontracts the hosting of the emails on a third-party server (and this may in turn subcontract it)
The hosting server is owned by you

About the information of the server :

You have to know the location of the server or, at least, know if it is inside or outside the European Union
If you are in the United States, you should know if you are adhered to the Privacy Shield
You have to know the security measures/certificates that these servers have
And if: you have to have a data access contract on behalf of third parties with the service provider

On the choice of provider :

We recommend that you value the transparency of the information provided by the providers when choosing between one or the other, since it is their obligation to provide such information. If it doesn't, why is it?
We recommend that you read the Guide for customers who contract Cloud Computing services before deciding on the choice of a provider.

Idaira Hernandez Peraza

Director of Consultants Peraza & Asociados, SL

Photo source: Google Images tagged for reuse

Technical cookies Technical or necessary cookies are essential for our website to function properly and include basic functionalities such as identifying the session or giving registered users access to restricted access areas. For these reasons, technical cookies cannot be deactivated.
Statistics cookies We use statistical cookies to see how you interact with the website, gathering anonymous information during the time you browse it. The purpose of collecting this information is to make improvements to the website based on the analysis of the aggregated data.
Preference Cookies By using preference cookies, the website can remember information during your browsing time associated with the way the page behaves or the way it looks, such as your preferred language or the region in which you are.
Marketing cookies Marketing or advertising cookies are used to analyze your behavior while visiting the website and so that, from time to time, other providers can offer you personalized and relevant advertising according to your browsing profile.