OTTAWA – Businesses contemplating cloud computing should worry less about the U.S. Patriot Act and more about thumb drives and border crossings, panelists at the Privacy and Information Security Congress said here Monday.
David Fraser, partner with the Atlantic Canadian law firm McInnes Cooper, said many people believe it is illegal to put data in the cloud if that means it will be stored south of the border because of provisions in the U.S. Patriot Act that allow the American security establishment to seize information without a conventional warrant or any notification to the data’s owners.
Whether or not many people believe it is illegal (it is not, though some provinces put limits on where certain data such as health records may be stored), comments from the audience showed there are concerns about the Patriot Act, particularly the fact that the law expressly forbids a cloud service provider from notifying a data owner when data is seized under the act.
But Fraser argued that Canada has similar legislation and that U.S. law applies to any company with a substantial connection to that country anyway, so insulating oneself from such government intrusion is not as simple as ensuring data stays north of the border.
And he said other risks are more significant – like thumb drives that plug into Universal Serial Bus (USB) ports. These are the No. 1 source of data breaches, according to Fraser.
“Go to the front desk of a hotel and say that you’ve lost your thumb drive,” he said, “and they’ll probably pull out a box of them.”
And if you’re concerned about governments snooping into your data, he added, “any time you cross the border … they can open up your laptop and they can clone your hard drive.”
Cloud computing could actually be a solution to both those problems by allowing computer users secure access to data from anywhere so they need not carry sensitive data on laptop hard drives or USB thumb drives, said Fraser.
Omkhar Arasaratnam, cloud security lead architect for SmartCloud Enterprise at IBM Canada Ltd., agreed with Fraser that keeping data at home is no panacea. And he said cloud security is not much different from information security in general, which is mainly about risk management and education.
Putting too many restrictions on what people can do won’t work, said Arasaratnam. “If you as an IT department are too restrictive, your end user community, your executives or their children will find ways around it.”
The best hope, he said, is to educate people so they understand why some behavior is risky, and look for ways to ensure security without restricting people’s use of technology too much.
The fact that cloud computing is new doesn’t necessarily mean it is insecure, said Arasaratnam. But Winn Schwartau, moderator of the panel, well-known speaker and author of several books on security, observed that IT has swung back and forth between centralization and decentralization several times since the 1950s, and asked the panelists what businesses should do to ensure they can get off the cloud should the pendulum swing again.
Fraser advised making sure contracts are clear about ownership of data and the client’s right to have it returned. Arasaratnam added that it’s important to ensure the data comes back in usable form, not as paper printouts or files in incomprehensible formats.