What are the key questions Australian businesses should ask their cloud service providers? In Part 2 of our Security Series, Superloop's security expert, Andrew Lawrence advises how to adhere with the Australian Privacy Act, and set a high bar for data security.
Very soon, Australian businesses will need to conform to higher standards of data practices with incoming European GDPR legislation. While your business may not be affected by these changes, it’s good practice to revise existing processes to comply with the Australian Privacy Act.
This is even more pressing when considering mandatory data breach reporting, which came into effect earlier this year. Companies that have deployed cloud computing apps should revisit where the data resides and what measures their supplier have to securing and maintaining the integrity of this data.
For example, businesses that have user-deployed apps through website subscriptions could be using services that have no inherent guarantee of this data being stored in Australia. This may include data residing in popular software-as-a-service applications such as Salesforce or Atlassian.
For example, while SaaS providers have offices around the world, they may use Amazon Web Services (AWS) infrastructure. The Australian region for platforms like AWS is one of the most expensive in the world to deploy in – hence some companies may have elected to use the services based out of cheaper regions to mitigate costs.
Verticals and services affected
Managed Service Providers (MSP) will typically have customers spanning all industries, from finance to health, waste management, automotive and government, so will be well aware of the obligations coming into effect. Some industries have never had data sovereignty obligations or regulatory pressures from a data sovereignty point of view. Others, such as health and financial services, are well aware of their duties and typically have large in-house compliance teams to manage these issues.
It’s important to find out whether your MSP can recommend products that will provide coverage under the updated privacy act and GDPR legislation.
Smaller companies that have been bought by an overseas entity may need to understand their obligations – particularly if they have been acquired by European entities whosecompliance obligations are increasing under new GDPR legislation.
Five questions you should ask your Cloud provider
1. Where is my data being processed and stored?
This is an important question because some cloud applications may be storing data offshore. Ask the cloud service provider what guarantees they have that all data will continue to reside, or be processed, within Australia.
2. Do you have sub-contractors?
Cloud providers will often work with contractors to transfer, store and process information. Ifthis is the case, you will need to ensure information governance frameworks are in place to ensure their contractors also comply with the data privacy legislation.
3. What technical measure are in place?
Every cloud provider should have measures in place for protecting personal data, and organisations need to understand how their data will be secured and protected.
Keeping data on premise or in-country will provide peace of mind. But, in the online world, where data has three states – in use, in transit and at rest - it is also important to assess what technology is able to protect your data in all three states, not just where it is stored.
4. How is it encrypted?
In a world where cyber-attacks and accidental data leaks are common occurrences, encryption must travel with the file wherever it goes, regardless of the mode of transportation or storage. This includes authorising only those who are allowed to view the content of data.
Using strong encryption measures will help your business control whether data can be used in certain places.
5. What data governance is in place?
Providing and information ‘safe haven’ can be difficult given how rapidly legislation changes, so it is important to ask any provider that stores personal data on your behalf about their data governance policies and procedures.