CSPs must ensure transparency on data location to restore trust in cloud services, warns APM Group
The recent PRISM scandal highlights the need for end users to understand government attitudes to surveillance and privacy. According to APM Group, the Cloud Industry Forum’s (CIF) independent certification partner, the case casts light on the important questions end users need to be asking of their Cloud Service Providers (CSPs), if they are to prevent their data from unwittingly being stored in undesirable jurisdictions.
According to Richard Pharro, APM Group’s CEO, without clarity on data location it will become increasingly difficult to maintain and grow trust in the cloud:
“This latest episode will have revealed a blind spot for cloud users, many of whom remain in the dark about precisely where their data is being stored and who has access to it. Moving data to the cloud can often mean it is hosted in another country and subject to different data laws. Privacy laws are not standardised across Europe, and as we have seen, even countries with quite strict legislation have anti-terrorism laws that can allow governments to access your data. Businesses have the right to know where their sensitive and confidential information is being stored, and what protection and legislation this data is subject to.
“In order to understand the best fit of cloud, it is important that organisations are able to make a practical assessment of the criteria that will help define the options possible. Key to this is knowing the questions to ask your CSP, pertaining to things like data sovereignty, data security, and interoperability, as well as business continuity planning, operational transparency and capability. On balance, and depending on the type of data being stored, businesses may want to seek out jurisdictions with more favourable privacy laws, like France or Germany.”
Pharro pointed to the CIF Code of Practice as a means for end users to sift through reputable suppliers and find a CSP that best suits their needs:
“CSPs that certify against the Code of Practice are required to make public their approach to transparency, capability and accountability, and their data handling practices, including where data is stored. In short, the information that an end user would need to be able to make an informed choice about their CSP that meets their data handling and storage requirements.”
For further information about the Cloud Industry Forum’s Code of Practice, please visit: http://www.cloudindustryforum.org/code-of-practice/code-of-practice
About The APM Group Limited
APM Group Limited is a global business providing accreditation and certification services. Through an international network of Partner Organisations and Accredited Organisations they help end users develop their professional skills and organisations improve their processes through the adoption of worldwide best practice and international and national standards.
The APM Group is the only organisation offering professional qualifications in Programme and Project management with third party independent accreditation through the United Kingdom Accreditation Service (UKAS).
The APM Group holds UKAS accreditation for three international standards, ISO/IEC17021, ISO/IEC17024 and ISO/IEC Guide 65 (BS/EN ISO45011). They also offer certification of their clients to ISO/IEC9001 and hope to receive approval to offer ISO/IEC27001 to these clients shortly.
The APM Group also offers a Registration scheme for Registered Certification Bodies for the itSMF/APMG ISO/IEC20000 scheme.
APM group works closely with the Cabinet Office, part of UK HM Government, and the official publisher TSO (The Stationery Office Ltd), in running global accreditation schemes in PRINCE2®, MSP®, M_o_R®, P3O® and ITIL.
Other partners include CESG, itSMF and the UK’s Chartered Management Institute.
For further details about The APM Group’s qualification, certification and endorsement schemes visit: www.apmgroupltd.com or call +44 (0)1494 458948.
