Out-Law News | 20 Aug 2013 | 2:18 pm | 3 min. read
Google said that 'keys' to the encrypted data stored in its Google Cloud Storage systems will be regularly updated and that access controls and auditing procedures would be put in place.
"Google Cloud Storage now automatically encrypts all data before it is written to disk, at no additional charge," Dave Barth, Google Cloud Storage product manager, said in a company blog. "There is no setup or configuration required, no need to modify the way you access the service and no visible performance impact. The data is automatically and transparently decrypted when read by an authorised user."
"If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys. We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing. Each Cloud Storage object’s data and metadata is encrypted under the 128-bit Advanced Encryption Standard (AES-128), and each encryption key is itself encrypted with a regularly rotated set of master keys," Barth added.
Businesses will remain free to encrypt the data themselves prior to storing it in the Cloud Storage infrastructure. Barth said the new "server-side encryption" practices apply to all new data loaded into the system and that there are plans in place to ensure that previously loaded information is encrypted "in the coming months".
In guidance issued by the UK's data protection watchdog last year, businesses were encouraged to consider whether personal information they wish to store in a cloud environment should be encrypted both when it is in transit and "at rest". The Information Commissioner's Office said that personal data that is "in transit" should always be "secure and protected from interception".
"This can be achieved by using an encrypted protocol," the ICO said in its cloud computing guidance. "The encryption algorithm used should meet recognised industry standards. The cloud provider should also be able to give assurances that data in transit within the cloud service is appropriately secure. This includes data transferred between data centres which may be separated geographically."
"The cloud customer should also consider if it is appropriate to use encryption on data ‘at rest’, ie when stored within the cloud service. This will depend on the nature of the personal data and the type of processing being undertaken in the cloud. This will be an important consideration when sensitive personal data is being processed," it added.
The ICO acknowledged that businesses that use cloud providers offering 'software as a service' (SaaS) may be less able to ensure that provider encrypts data than if they were using other kinds of cloud services.
"In an IaaS (infrastructure as a service) or data storage scenario, it is much easier for the cloud customer to insist that all data is encrypted before it leaves his, or the cloud user’s device," the ICO said. "However, in a SaaS cloud this is more difficult to achieve because the cloud provider may need access to the data in order to perform the necessary processing."
The watchdog also stressed the importance of keeping encryption keys secure to data protection compliance and said that losing the keys to the information could in itself amount to a breach of the Data Protection Act (DPA).
"If encryption is used as a technical measure to secure data, it is important to ensure the security of the key," the ICO's guidance said. "A robust key management arrangement is crucial to maintain the level of protection encryption can offer. It is also important to note that the loss of an encryption key could render the data useless. This could amount to the accidental destruction of personal data – this would be a breach of the DPA’s security principle."
Under the DPA, data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
When outsourcing personal data processing to others, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".
The data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to comply with the "technical and organisational measures" requirements under the DPA. Data controllers are also responsible for any failure of processors in meeting those personal data security standards.
However, where personal data processing by sourcing providers, such as cloud computing platforms, will or could take place outside of the European Economic Area (EEA) under the terms of the outsourcing agreement, further rules under the DPA also need to be adhered to.