Addressing cloud security issues can be daunting. In the first post of this series we saw that the cloud is simply a computer where you store your files and documents over the internet. Problems arise when you copy your files to a computer owned by a third party cloud provider. You lose control of your data, the provider can access your stuff at any time and can inspect your files. But these are just the tip of the iceberg. In this post we will take a look at the issues of ownership, data residency, legal jurisdiction and legal access by law enforcement.

Ownership

The first of the cloud security issues that we will look at in this post is that of ownership. When you store your stuff on your own computer, you alone are responsible for keeping it safe. But when you upload and copy it to the cloud provider you are essentially publishing it – even if it’s just for you. For the cloud service to work as designed, you give the service permission to store and make copies of stuff you stored. When it comes to ownership, according to the cloud providers it is simple – you own the data stored in the cloud. But you are giving rights to the cloud provider that erodes your ownership. Here’s what Apple co-founder Steve Wozniak says about consumer clouds and the erosion of data ownership.

“Nowadays in the digital world you can hardly own anything anymore. It’s all these subscriptions… and you’ve already agreed that every right in the world belongs to them and you’ve got no rights. And if you’ve put it on the cloud, you don’t own it. You’ve signed away all the rights to it. If it disappears, if they decide deliberately that they don’t like you and they cut that off, you’ve lost all the photographs of your life…  When we grew up, ownership was what made America different than Russia.”

Google states your ownership like this.

“You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you, stays yours.”

And then Google states their rights to the stuff you own like this.

“When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps).”

According to Google, it retains these rights in order to give you the services you want – for example to enable you to share a document or to open it on a different device and according to the terms of service that permission continues, even if you stop using the service.

Data Residency

In light of the Snowden revelations and in order to safeguard the privacy of its citizens, the European Court of Justice struck down the 15 year old ‘safe harbor” agreement with the U.S. forcing Europeans to store their files on cloud servers located in Europe, under European jurisdiction and European law. In other words, they cannot store files in the U.S. under U.S. law nor under any other foreign jurisdiction.

When it comes to cloud security issues, some countries such as China and Russia have strict data residency requirements for maintaining control over the location where data and documents physically reside. Other countries such as Australia, Hong Kong, Canada, Germany, Italy, Luxemburg, Mexico, the Netherlands, Singapore, Switzerland and the U.K. regulate data residency for some types of information such as government files and healthcare records. Australia for example has the Privacy Amendment Act, Germany has The Federal Data Protection Act and the UK has The UK Data Protection Act. In addition, many professional associations such as law, accounting, finance, mortgage brokers and banking have professional standards for their members that include data residency requirements to govern the use of cloud service providers and to keep information within a defined geographic jurisdiction. The reason is simple. To maintain professional standards, they do not want personal and confidential files to come under the jurisdiction of a foreign power.

Legal Jurisdiction

But wait – even if you comply with data residency, you may still have cloud security issues when protecting your confidential files from foreign jurisdictions. When it comes to legal jurisdictions and cloud storage, you will find that who has jurisdiction over the files stored in the cloud is, well a bit cloudy. Are the files under the jurisdiction of the country where the physical storage is, under the jurisdiction of the country of the owner of the files or under the jurisdiction of the cloud service provider?

Even though the European court struck down the safe harbor agreement with the U.S., European law is meaningless to the U.S. judicial system. If the cloud provider is a U.S. company, it can be served with a U.S. search warrant for content it has in its possession regardless of where that content is located. As a U.S. company, in the eyes of the U.S. courts, it is under U.S. law. U.S. courts simply do not recognize the laws of other countries.

For example in late 2013, Microsoft was served with a search warrant  by the U.S. Department of Justice for all content it had related to an email account of an Irish citizen held on its Microsoft servers located in Ireland. In order to comply with EU law, Microsoft responded by telling the DOJ that it should make its request to Irish authorities instead. The DOJ however argued that it doesn’t need to go to the Irish government because Microsoft is a U.S. based company and therefore must comply with U.S. law. Although this particular case is still before the courts it highlights the tensions between conflicting jurisdictions. Can the U.S. government reach into a European data center to obtain the personal communications of EU citizens without paying attention to EU law? If Microsoft obeys the DOJ request, it will be in violation or EU law. If it refuses the DOJ request, then it is in violation of U.S. law. The semblance that users actually own the files they stored on the cloud is gone. Because Microsoft owns the servers where the files are stored, for all intents and purposes, the DOJ is treating Microsoft as the owner of the files. Legally speaking, the concept of custodian and tenant that we looked at in part 1 of this series is made irrelevant.

The lesson is, when you store your stuff in the cloud, even if the files are stored on servers located in your own country, in the eyes of the law you may not be considered the owner of the files and your files may still be under the jurisdiction of a foreign power.

Legalized Secret Access By Law Enforcement

What about law enforcement trying to access your stuff? With a computer in your home or business, you’d have to be served a warrant and law enforcement would need to enter your premises to physically access or confiscate the computer. You would know and can involve your own lawyers. But with remote storage, you may not know that the cloud provider was served a subpoena or warrant or security order. In fact, the provider is almost always prohibited by law from telling you. The technology of cloud storage is what makes secret access by law enforcement viable. If you offer a service for example where client privilege is protected or assumed such as the attorney-client privilege of a lawyer, that privilege has the potential of being violated if you use a third party cloud provider.

Although nearly every provider’s terms read differently, one thing remains the same. They all tell you explicitly they must and will comply with legal requests from law enforcement (meaning secret access orders) and are not responsible for any loss you experience.

Addressing Cloud Security Issues – The Better Way

Because of tremendous productivity gains, we all use the cloud. Big companies with privacy and security concerns have built their own private clouds. But private clouds are expensive and require an IT department to set up and maintain. So what about those who do not have the resources to build their own cloud. Well there is a better way. The better way is this – Keep your files right where they are, on your own storage, under your own control, behind your own firewall and on your own premises. Securely access, share or stream that content from its source location using FileFlex. You don’t need to build a private cloud or copy anything to a third party provider.

Use FileFlex To Address Cloud Security Issues

The easiest way to address cloud security issues is FileFlex. FileFlex allows secure remote access, sharing and streaming of your own storage – all your storage – server storage, server attached storage such as NAS, SAN and DAS, desktops, laptops and FTP from any device, from anywhere.

What Are You Waiting For?

Use FileFlex to address cloud security issues by remote access, sharing and streaming of your own storage. It’s Free to Try. Click here to see for yourself.

In the final post of this 3 part series on cloud security issues we will look at outages, security considerations and compliance issues.