Re: [Hampshire] Due Diligence of Service Providers

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Andy Smith at <-
MMJan Henkins at ->

Reply to this message
Author: Imran Chaudhry
Date:  
To: hampshire
Subject: Re: [Hampshire] Due Diligence of Service Providers
Many thanks for the replies. I get the digest so I'm going to munge
several replies into one.

>> The backup service providers are often US-based small businesses who
>> outsource functions to other service providers such as Amazon Web
>> Services.
>
> Be careful with putting data on US servers.
>
> The Data Protection Act states :-
>
> "Personal data shall not be transferred to a country or territory outside
> the EEA unless that country or territory ensures an adequate level of
> protection for the rights and freedoms of data subjects in relation to the
> processing of personal data."
>
> Note that the US is *not* on the list of countries with an adequate level
> of protection...
>
> If this is simply backup data - and particularly if you store it in an
> encrypted filesystem - then the backup process may not qualify as a
> "transfer" under the Act. But this is the sort of thing you need to check.

There exists a solution to this called the US Safe Harbor Framework:
http://www.export.gov/safeharbor/eu/eg_main_018365.asp

>
> How much data are you talking about? It might be a lot easier to host in
> Europe...

Because of the nature of the SaaS provider we're limited to specialist
providers. Some of them use Amazon Web Services which offer a regional
service based in Ireland. AWS specifically mention this as a way of
being compliance with regulations:
http://aws.amazon.com/s3/faqs/#How_do_I_decide_which_Region_to_store_my_data_in

> Ask if you can get a definitive list of the backend services in use
> so that you can avoid shared fate (e.g. you lose an important file
> at the same time that Amazon Web Services suffers a global outage,
> and you find that all three of your offsite backup providers
> actually resell AWS). This might be difficult to get them to commit
> to, since they probably want the flexibility to change that behind
> the scenes.
>

The service provider is being cagey about specific details. The claim
to follow security best practice. AWS appear to have a very good
security policy in place regarding their setup
http://aws.amazon.com/security/

> In all honesty if my needs were great enough that just spreading my
> encrypted data over three or so different storage providers wasn't
> enough then I would be tempted to build it myself, using the cloud
> storage services directly.

We're moving more towards SaaS for many things so this idea is out.

Thanks
--
GPG Key fingerprint = B323 477E F6AB 4181 9C65  F637 BC5F 7FCC 9CC9 CC7F


This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] Something to Download and EnjoyRe: [Hampshire] Due Diligence of Service Providers->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)