Last July 1st, Article 29 Working Group published opinion 05/2012 on cloud computing (pdf). We think it was interesting to analyze it in detail from our perspective as rating agency considering the importance of these "opinions" and the relevance of their findings, specially, the undoubtedly support it means for trusted third-party services, such as security rating from leet security. We have divided the content of opinion document in five parts: 1. Data protection risks Document considers two main types of risks: lack of control over personal data and insufficient information about data processing. Contribution of rating: As we have mentioned before, being rating, basically, a transparency mechanism, it helps with the last identified risk, providing information to clients (data controller) about security measures implemented in provider (data processor) processes. 2. Key drivers Document identifies three key drivers: Security, Transparency and Legal certainty. Contribution of rating: Using a rating system as proposed by leet security helps to take advantage in issues as security and transparency from cloud computing. 3. Data protection requirements Requirements are divided into three types:

  1. Compliance with basic principles
  2. Contractual safeguards
  3. Technical and organizational measures

Contribution of rating: As you can see in previous mind map, rating allows clients to adapt to requirements regarding technical and organizational measures and to many of contractual safeguards. Specifically, rating use allows:

  • Specification of security measures (depending on the risk and the nature of data) - Considering that in contract a minimum rating can be specified and that rating implies implement some measures, it is not necessary to list exhaustively all the measures to comply with.
  • Ensure the existence of confidentiality clause, right to monitor and logging and audit of relevan processes - These measures are part of the compromises that provider takes to use the special level of rating for compliance (marked with a plus symbol '+').
  • Existence of mechanisms to notify to clients in case of data breach and of changes in the service - Rating service conditions of use include notification to the agency of any situation that could affect the rating level in every moment which includes above situations.
  • Give assurance of internal organization and arrangements compliance with legal requirements - On the one hand, the agency oversees that services have a certain level and, in the other, considering that for achieving a rating all subcontracted services must have, at least, that rating, all the arrangements made by the provider should comply with the requirements of the level.
  • Finally, regarding technical and organizational measures, rating guide includes measures that should be addressed to perform data processing for each level (low level measures have been included in rating 'D' of confidentiality dimension, medium level ones have been included in rating 'C', and high ones in rating 'B').

4. Duties and responsibilities

Logically, the document includes duties and responsibilities for both the client and the provider.

Contribution of rating: As mentioned in the document, client should choose a provider that guarantees compliance with data protection legislationIn this way, our rating system includes, as mentioned before, the measures needed to perform data processing of different levels and the requirements included in legislation. So, if the confidentiality dimension of rating is:

  • 'D+', then the service is suitable for processing low level personal data.
  • 'C+' idem for medium level data.
  • 'B+' or 'A+' then service is suitable for high level personal data processing.
As mentioned above, to get that ratings, provider has to comply with actual legislation ("adopting security measures in line with those in EU legislation") and services subcontracted must have, at least, the same rating ("guarantees that subcontractors comply with EU privacy Directive").

5. Conclusions

Conclusions provided by the opinion document can be classified in the following way:

  • A general conclusion: "Businesses wishing to use cloud computing should conduct, as first step, a comprehensive risk analysis".
  • Guidelines for clients and providers.
  • Third party Data Protection Certifications.
  • Future developments.

Contribution of rating: In relation with general conclusion, as we have mentioned in other occasions, rating allows to potential clients of cloud computing services to choose between services that better fits risk level of client business process. Thus, rating simplifies this previous process and, in consequence, cloud computing services procurement.

Related to guidelines for clients and providers, the use of the rating addresses almost all recommendations made by the working group (see the issues marked green on the mind map above) that are mainly the ones commented in previous paragraph 3 (Data protection requirements).

Finally, the element most relevant for us is the one related with third party data protection certification. The document recognizes that:

  • involvement of a reputable third party is a credible mean to demonstrate compliance with provider obligations.
  • a third party can be used as a mean of exercising the client's right to audit the provider.
  • the adoption of standards is a good way to establish a relationship of trust between the parties.
  • standards used must include both technical and procedural measures.

For all there reasons, we believe the document is an unquestionable support for the security rating service as it includes all the features mentioned above:

  • The agency is an independent body without any interests besides the rating itself.
  • The agency is committed to audit the  services it rates (rotary and randomly).
  • The scoring guide includes technical, organizational, procedural, and formal measures from the legislation on data protection.

You can follow us on twitter.com/leet_security

9 de julio de 2012