Opening the meeting today at the Cloud Security Summit, the President of CSA Italy, Alberto Manfredi wanted to give out two “take aways”: # 1 Privacy was an obstacle to enterprise data porting into the cloud; we can say that now it is no longer so, because we have the technical and legal instruments for its governance. # 2 the cloud can be secured and perhaps even easier than traditional IT solutions. Different excellent speakers have then attempted to show that all of that is true, within the solutions offered by the providers, as well as in the experience of the client companies.
It must be said that the strategic approach to the cloud (first we set up infrastructure and security, then fit the applications and in the end we move the data) is not always feasible, as acknowledged by the CEO of Cloud Security Alliance Jim Reavis, and leaves often up to an opportunistic approach or even to the simple awareness of the fact that the cloud already got inside the company. Problems and solutions are very different moving from the servers applied security (which tend to be stable over the years) towards the services applied security (which can be turned on and off continuously). That’s maybe the reason why there are one million job vacancies in IT Security… Moving from IaaS to PaaS and SaaS the security focus shifts from the customer to the supplier, which implies the need for excellent contract management.
This was specified by Mariangela Fagnani (Senior Advisor of Sernet and Board Member of Clusit): responsibilities on privacy and security differ depending on the cloud model; for SaaS it mainly concerns governance and compliance, two contractual aspects to be defined precisely without leaving gray areas, with special attention for the control system. On this specific ground ISO standards can be helpful: the 27017 (valid for both customers and suppliers), recently introduced, and 27018 (dedicated to the protection of Personal Data in the cloud), already applied in different companies, even in Italy. Although these are Guidelines, therefore not certifiable, you can get a certificate of conformity; Microsoft was the first vendor to receive it for its cloud solution, as mentioned by Andrea Piazza, Chief Security Advisor of Microsoft Italy.
But to deepen the contractual issues who would be better than a highly specialized Legal? Gabriele Faggioli (of Partners4Innovation and Clusit President) the security technological aspects can be covered by the providers better than companies are often able to do, but for most of those who approach the cloud it is not always easy to get safe conditions, especially when it comes to SMEs, typically with little bargaining power towards the big players in the market. We must however try to ask for transparency on guaranteed safety levels. As far as privacy is concerned, the transfer abroad of personal data and the application of security measures (minimum and appropriate) must be also taken into account. The supplier must provide evidence and the customer must ask to put them as contractual clauses, following the advice of the opinion 5/2012 of WP29. In this regard the GDPR will lead to a change of perspective: contracts would include data portability clauses pursuant to Art. 20, the appointment of the supplier as Data Processor, and audit program that will allow the Data Controller to collect documentation in an accountability perspective. Not to forget the obligations in case of Data Breach, that will require the timely communication to the stakeholders and the DPA, unless the data has been properly encrypted and then proven to be unusable. NB: these changes should be incorporated immediately in all contracts (existing or new) that will still be in effect in June 2018.