Cloud computing is seeing huge growth. No matter where you look the figures are big. Growth at Amazon Web Services (AWS) was reported as being almost 70 per cent in 2015. Microsoft Azure may be growing even faster, although it is hard to compare like with like.
Then we have the multi-vendor open source OpenStack platform. OpenStack management company Talligent recently released a survey showing an expected growth rate over the next 12 months similar to AWS', albeit with much of that in the private sphere.
Even banks are losing their nervousness about the public cloud, according to Ian Massingham, technical evangelist at AWS.
"We've got lots of financial services customers running on AWS today. In fact, Tesco Bank and Aviva are talking about moving core mission-critical applications to AWS," he said.
The reason that more companies are not doing this has to do with legacy technology rather than legislation or regulation, Massingham believes. He pointed out that AWS customers are able to control what data goes to the cloud, the jurisdictions to which it flows and how encryption keys are handled. AWS is also compliant with the ISO 27018 data privacy standard.
But before organisations in the EU rush to embrace the cloud for sensitive data, they need to make sure their chosen provider is compliant with all the requirements of the upcoming General Data Protection Regulation (GDPR), according to Sheila Fitzpatrick, worldwide data governance counsel and chief privacy officer at storage firm NetApp.
Fitzpatrick also sits on the data protection advisory committee at the EU, and warned that cloud providers too must change the way they operate.
"Cloud providers are going to be affected because they can't pass the buck, they can't say: 'Well, you decide what's going to be in your cloud environment, you control security, you control everything' especially if the cloud provider relies on a third party to manage their data centre," she explained.
Cloud providers have traditionally funnelled responsibility for compliance with regulations down to customers, but the GDPR is going to change all that.
"Cloud providers are going to have joint accountability for any data that is in their environment," said Fitzpatrick, adding that customers need to be particularly dilligent in their assessment of potential partners.
"Customers have responsibility for asking the right questions. What third parties do you use to support your cloud environment? Do they manage their own data centre or do they outsource it? Where does the data flow through before it even gets to the data centre? Which jurisdictions are affected?
"Companies need to ask their cloud providers how they comply with privacy laws. They need to do a privacy assessment and not just a security impact assessment. That's something companies don't do and that's not the cloud provider's responsibility. It's the customer's responsibility to ask those questions."
There are also a number of what-if scenarios that should be walked through. "How do you get your data back when there is no longer a business relationship? What happens if there is a subpoena or e-discovery and the cloud provider gets a subpoena?" Fitzpatrick said.
"How do they notify their customers? Will they turn their data over? These are questions beyond traditional security. Customers have to do their privacy impact due diligence."
This sounds onerous for cloud providers and customers, but it needn't be, according to Fitzpatrick. NetApp went through this process eight years ago when it expanded into Europe and decided to comply with a strict interpretation of the data protection rules by picking three of the most restrictive jurisdictions (Holland, Germany and Spain) as its primary authorities and reviewers.
The firm also uses binding corporate rules and model clauses to cover data transfers to the US, rather than the (now defunct) Safe Harbour framework.
"I think people try to complicate things by saying it's overly administrative. The fact of the matter is that if you embrace the law and are transparent about what you do with customer, employee and partner data it's not that difficult," she said.
"It is time-consuming and you do need to understand data privacy and not just security, but it's not that complicated."
The distinction between security and privacy is an important one, Fitzpatrick warned. "The IT organisation should not manage the data privacy infrastructure any more than the data privacy people should manage the data security infrastructure. But they need to partner closely," she said.
IBM software case reminiscent of TSMC trade secrets theft claim
iPhone 8 specs, release date, price, features, basically everything! But will it have a curved display?
CISO pay boom as security become a boardroom concern