As anticipated, the second booklet presented with the Annual Report of the Italian Authority for the protection of personal data deals with the system of cloud computing. Here we present a brief summary for the benefit of those who have doubts about the level of security and confidentiality of their data uploaded “in the cloud”.
Given the increasing offer of these services, the booklet presents itself as a “series of precautions” aimed at encouraging their appropriately aware and responsible use.
“Cloud computing” is a set of services for which resources are easily accessible and configurable on a network. Once they are connected to a cloud provider, users can perform certain activities such as using remote software not directly installed on their computers or save data on online storage systems.
It is essential to differentiate between private and public clouds. In neither case does the data reside on users’ “physical” servers, but whereas a private cloud is a closed system dedicated to the needs of a single organization, management of which is entrusted to a third party (easy to control), the infrastructure of a public cloud is owned by a supplier, the use of which is made on the web.
In a public cloud, confidentiality and availability of information are entrusted to the security mechanisms adopted by service providers and users who upload their data lose most of their ability to exercise adequate control over it.
The Italian Authority focuses on a number of aspects regarding cloud computing that require particular attention. For example if the chosen service is the end product of a transformation chain of services from other service providers apart from the vendor the user signs the service contract with, it may not be possible to ascertain which of several managers of intermediate services can access certain data. In addition to this, in the absence of adequate guarantees on the quality of network connections, temporary problems of data accessibility may be experienced due to breakdowns or traffic overloads; in other cases, portability and interoperability might be jeopardized by the passage of data and documents from one cloud system to another, or during an exchange of information with users of different clouds.
Outsourcing data to remote providers is not the same as keeping it on one’s own system: there are advantages and drawbacks that need to be taken into consideration. In this regard the Authority has drawn up a series of actions that are to be considered indispensable in order to use cloud services with due care and awareness:
-Prioritize consideration of risks and benefits of the services offered.
– Prefer services that facilitate data portability.
– Ensure the availability of data in case of need.
– Select the data to be included in the cloud.
– Do not lose sight of data.
– Be aware of where data will effectively reside.
– Pay careful attention to terms of contracts.
– Check the conservation policies of persistent data.
– Demand appropriate safeguards for the protection of confidentiality of data.
– Provide appropriate training for staff
The Authority closes with the reminder that the adoption of outsourced services does not relieve companies and public administration of their responsibilities for the protection of personal data. Thus, when using cloud computing it is essential to “rationalize its distinctive features in order to identify potential risks associated with such services and therefore to be able to take effective and specific protection measures.”