Text size




The Digital Society: Should You Treat Cloud Services Like A Marriage?

The process of securing your data comes down to three main criteria – accessibility, integrity and confidentiality. We talked about these three criteria that are also relevant for cloud services with Jaan Priisalu, the director of the Estonian Information System's Authority.

Accessibility means that your data can be found and accessed. Integrity implies that the data comes from the correct source and has not been tampered with. Confidentiality means that the data is only available for the authorized people.

In cloud services, the most crucial pain point is the fact that the system processing your data is not under your control. This means that you rely on the owner and administrator of the system and their possible errors. However, it may also save you from making small mistakes of your own. Therefore, cloud services can simultaneously be a solution and a problem.

Cloud services are like a marriage

According to Jaan Priisalu, users of cloud services should first try to understand what the data is needed for and, should they end up in the hands of others, be changed or lost, what are the consequences. “As in a marriage contract, it should be clear what the terms are for getting out of the relationship or getting back your data should the necessity arise,” Priisalu draws an earthy comparison.

A good example of getting back your data in a structured way was the case of Google shutting down their RSS-service, Google Reader. The customers were enabled to take their feeds with them and move them to other service providers.

Encryption guarantees security

Talking about confidentiality, Edward Snowden’s case is a good example of US intelligence having access to data from the companies under their jurisdiction. “In Estonia, the situation with confidentiality is better from an individual’s point of view, although people are not fully utilizing the encryption functionalities that come with their ID cards. Encryption assures the integrity of data – if your signature is intact, you can be sure that no one has tampered with your data, and if you’re smart enough to encrypt your data and have sole access to your key, you can also be certain that nobody else is able to read the data,” Priisalu explains.

“In order to send an encrypted message, you need to know the recipient’s key. In the past, a registry of public keys related to ID cards was helpful for that purpose. However, after the registry was closed down by the Chancellor of Justice due to data protection violations, the overall encryption capabilities have paradoxically decreased and in fact matters are worse in terms of data security.”

Time stamps reassure

GuardTime, the Estonian-rooted data security company, has helped to improve the situation. If a key that was once at your sole disposal should suddenly become public, you need to have the opportunity to say that the key is no longer valid. However, previous signatures with the same key should still remain in force. One thing that GuardTime helps to ascertain is the time when a change was made.

“It would be rather expensive to constantly check if the service provider is correctly managing your data. GuardTime assists in keeping a log and having that as a proof for the integrity of your data. This makes checking much simpler and easier, also in the cloud,” Priisalu claims.

35 million hours saved

Talking about future perspectives, Priisalu considers it likely that in the near future states will be initiating cross-border programs for digital signatures or IDs, much like the systems widely in use in Estonia. “The world clearly sees the benefits of digital signatures. In Estonia, we are seeing 35 million digital signatures per year, with as many hours saved. This makes up a week’s worth of time for a single person in just a year,” Priisalu brings an example.

Focus on accessibility

Today, confidentiality is clearly in the foreground of data security, with integrity lagging behind. “In the future, the focus will be on accessibility. It also depends on the specific field of operation – if a bank makes an error in counting the money, then this kind of bank with integrity issues will soon be out of business due to lack of trust. So for a bank, the list of priorities should be integrity, accessibility and then confidentiality,” says Priisalu.

With the Internet of Things becoming more and more powerful, people increasingly are trusting their lives to cloud service providers. In the case of smart homes, automated and interconnected systems are basically responsible for the things nearest and dearest to us. It is not yet fully clear how security should be maintained in these circumstances. “It’s likely that security will become an integral part of many of the services used. All the providers in the market need to start thinking about data and system security.”

Also, a change needs to take place in the understanding of our interconnectedness. “Until now, risk management in organizations has been about who we depend on and what happens to us if something happens to them. But in fact, all organizations are responsible for others, so you also need to think about who is dependent on you,” Priisalu adds.

The Digital Society – e-Estonia newsletter, September 16, 2013

Topic: RIA

Added 24.09.2013

Back to page "News"