By Michał Jaworski, Technological Strategy Director, Microsoft Poland
the last 25 years, the development of the Internet has influenced the world on an unprecedented scale. Our fears of using the global network have become almost as big as the benefits that it brings us. In the last few years, with the scale of Internet crime constantly increasing, we realize almost every day that we cannot manage the threat of cyber crime alone.
Initially – and rightly so – the cloud was primarily presented as a new economic model of using IT. Instead of investing in servers and IT staff, the cloud offered flexible resources, as well as the ability to dynamically adjust to the requirements of the business and to constantly have access to the most recent, updated solutions. It also changed how IT solutions were bought. Both the infrastructure and the software had become services.
One of the most common challenges in relation to the transition to the cloud was a shift in responsibilities. In the previous model, it was clear – it was my company, my IT department and my Information Security Administrator that were fully responsible for the efficient operation of systems, for cyber security and for personal data protection. If some of these IT operations were outsourced, the responsibility had to be shared between the user, his departments, and the cloud provider. This responsibility sharing has been, and is, adjusted in two ways – by regulations which define the framework for the use of the cloud, and by agreements between the user and the cloud provider.
The evolution of the legal framework around the cloud
The law is constantly evolving, keeping up with technological changes. The solutions that were considered sufficient several years ago can be criticized today, and requirements are expanding constantly. This is what happened to the Safe Harbor agreement of 2000 concerning the transfer of personal data between the EU and the US, which was declared invalid by the Court of Justice of the European Union. But, this does not mean that users and providers who use better and newer data protection rules have been affected by this judgment. Take, for instance, Microsoft services such as Office 365, CRM Online and Azure in which European standard contract clauses have been used for years to provide an adequate level of data protection on both sides of the Atlantic. This kind of legal security is expressly written in Poland’s Personal Data Protection Act.
Data security is a necessity, but also an initiative of service providers
Cloud providers voluntarily go beyond what is required by law, because this is what their customers demand and something their competitors are willing to provide. Add to this the increasing threat level. In today’s reality the real danger is organized crime. In Poland, we’ve had cases of attacks on some of the, supposedly, best protected businesses such as banks. Worldwide, there were cyber attacks against pipelines and energy systems, and these are not institutions that lack the funds for security measures. Only the biggest players, among them cloud providers, will be able to afford true security measures and hire the best professionals. Others, including institutions which have not yet recognized the need to invest in cyber security, will not be able to cope with potential threats.