“Confidential information must be considered breached”. This is stated by a Swedish Legal Expert Group in a recently published statement on the use of cloud services for confidential information.
This applies to cases where they are handled by a service provider that is subject to jurisdiction that may force the supplier to disclose the data without legal grounds in Swedish law.
One example: A few years ago, the city of Gothenburg procured cloud services to the employees' computers. The idea was to use Office365 for confidential information. Due to security concerns, the issue has been rolled around in various instances since then. The issue was highlighted by CLOUD act, a US law that forces service providers to disclose information to US authorities. This without considering local legislation in which the client exists.
It is satisfying that the question is highlighted from a legal perspective, and that the conclusion is what it is. As in the example above, why should the U.S. authorities have access to confidential information about people in Gothenburg?
Why should the U.S. authorities have access to confidential information about people in Gothenburg?
Before the digitization, we had never accepted that a foreign authority had a key to a backdoor into the journal archive at the hospital - why should we accept it today?
How do you rate the security level for confidential information of a cloud service?
What jurisdictions affect the service provider?
Which legal systems can exert pressure on the service provider? This concerns both ownership and management structure all the way to the operational staff. If these exist in several countries, the risk of disclosure in violation to e.g. Swedish law is higher.
What other customers does the service provider have?
If the operator has many and important customers in one country, the risk that the operator is forced/attracted to unwanted actions is higher.
Where is the information?
It is very important in which countries the actual information is.
How segmented is the information?
Does the supplier share premises, hardware, locks and alarms, and staff between many customers - or are these resources used exclusively for us?
There are service providers who use cloud service technology completely stand-alone. The information is then in a designated location, locked in non-shared areas, only handled by designated security-cleared personnel, on hardware that is not shared with any other customer.
How is information prevented from being moved from its designated location?
There is a big difference between a contractual barrier that can easily be overruled by a government decision and technical protection which, made in the right way, makes it impossible for unauthorized access to the information. With the right segmentation, even the service provider's own staff cannot access the information.