UK’s Data Storage Policy in Using Public Cloud Storage
The world has changed forever at the turn of the century. Vital data that were stored on a physical printed medium and locked in a physical drawer with a key are now uploaded in public cloud service of unknown physical location. It is mind-boggling for many to trust the name of the company offering the online or cloud storage business, without knowing where and how the files we upload gets stored.
As the world entered the big data age, more people and organization stop scrutinizing the way online data storage solutions locate their files, as long as 99.99% of up-time is guaranteed by the data storage provider. Governments have started to recognize this risk to data, one of the trailblazers to this growing awareness is the United Kingdom. The UK Cabinet office itself has started their internal initiative of scrutinizing the very data their offices uploads to the public cloud infrastructure.
The guidelines are composed of 14 Security reminders to users, described by the UK government as: “It’s possible for public-sector organizations to safely put highly personal and sensitive data into the public cloud. Many UK departments have made this decision based on risk management assessments once they have put appropriate safeguards in place.”
As the document was only marked as “guidelines” and not an official order, government agencies can continue their internal status quo, ignoring the guidelines altogether canceling any of its benefits. But the government leaders who initiated the guidelines hope that department heads and leads of agencies can see the wisdom behind the cybersecurity guidelines when dealing with public cloud usage.
The problem in the nutshell is by uploading personally sensitive data in the public cloud infrastructure of a 3rd party provider, control and storage are surrendered by the government agency to a for-profit company. This company may only have “profitability” as their guiding principle instead of customer data handling obligation as their central responsibility. The moment that taxpayers realize that their data or the personal information of their loved ones are mishandled, they can sue the government for their negligence. Data such as full names, addresses, social security numbers, tax identification numbers, passport numbers and driver license numbers as stored in the cloud in plain text or image is a treasure trove for the cybercriminals.
UK leadership and all of its subordinate agencies spent an accumulated sum of £19 million to host their data in Amazon Web Services for the last 60 months. The top up loaders are the Home Office, the Ministry of Justice, HM Revenue, Customs and the Cabinet itself. In an ideal environment, government documents containing their citizen’s records should never be uploaded in a public cloud platform only protected by the traditional username and password. But the use of such facilities are very enticing for government agencies because of its low price per GB and 0 maintenance cost. Storage, power, logistics and technical cost are the expenses that need to be covered if the government decides to build their own cloud storage infrastructure.