Who Can Pry Into Your Cloud-based Data?

Can anyone access the data that you trust to the safekeeping of a cloud-computing vendor? It's a good question, made all the more relevant by the revelations regarding the National Security Agency's Prism program. So how can you best address these issues in your contract with your cloud vendor?

By Thomas Trappler
Tue, July 16, 2013

Computerworld — Can anyone access the data that you trust to the safekeeping of a cloud-computing vendor? It's a good question, made all the more relevant by the revelations regarding the National Security Agency's Prism program. So how can you best address these issues in your contract with your cloud vendor?

With cloud computing, data access is inevitably a shared responsibility between the customer and the cloud vendor. Those shared responsibilities need to be addressed in the contract, and most cloud vendors' standard contracts leave something to be desired.

While the cloud vendor is responsible for providing the customer with access to its own data, the cloud vendor should also be contractually obligated to not share the customer's data with others, intentionally or not. This may seem obvious, but there are nuances to be addressed in the following areas:

Internal Access

In order to provide the service you contract for, some of the cloud vendor's employees will likely need to have access to your data. You want to ensure that this access is kept to the minimum degree necessary, so the contract should address:

* Which vendor employees will have data access.

* Whether access is on a "least-privilege" and "need-to-know" basis.

* Whether those privileges are promptly and adequately rescinded when employees leave the vendor or move into a different role at the vendor.

* The manner in which access is granted.

* Whether access is logged, monitored or analyzed.

Let's take a look at how one vendor addresses this issue by reviewing Dropbox's Terms of Service Security Overview. (I will use examples from Dropbox's standard contract, not to pick on that company, but because its terms are fairly representative of the industry. It's worth noting that Dropbox received the second-highest rating in the Electronic Frontier Foundation's 2013 "Who Has Your Back?" Report.) The overview states, in part:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that's the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances.

It would be better if Dropbox further detailed its "strict policy and technical access controls," but otherwise this seems like fairly reasonable language. But then the Dropbox Terms of Service Privacy Policy go on to state:

Continue Reading

Originally published on www.computerworld.com. Click here to read the original story.
Our Commenting Policies