Issue link: https://epubs.iltanet.org/i/45522
SAFER CLOUD, BETTER PRACTICE: TEN CLOUD-COMPUTING CONSIDERATIONS Data are at-rest when stored on some form of permanent storage, like a hard drive. Your cloud computing vendor will have a copy of all data you have uploaded, stored at-rest on their (or a third- party's) hard drives. Any data saved to your on- premise servers, desktops and laptops would also be considered at-rest. When possible, data stored at-rest should be encrypted using a strong encryption algorithm such as AES or Blowfish. Encrypting at-rest data provides protection from loss and theft, so that even if a device such as a server, desktop or laptop falls into the wrong hands, the data contained therein will be indecipherable. Data are in-transit while being transmitted from one location to another, whether you are visiting a website, checking email, or uploading files via FTP. Sensitive data should always be encrypted when in- transit. Web traffic should be secured using SSL. All other information sent over the Internet — including email (POP/IMAP), FTP and related protocols — should employ SSL or similar encryption, like TLS. With information encrypted in-transit, your data are protected against potentially insecure segments of the communication pathway through which your data will flow on its way to and from your cloud provider, such as your local Wi-Fi connection, your ISP's routers or a switch at a major peering facility. 3. 3. Where are the physical servers, and who has access to the data? The "cloud" is a nebulous concept. However, all data in the cloud reside within at least one, but often several, physical servers. These servers are, in turn, located within localities that usually impact how the data might be accessed and stored. Some jurisdictions will require access for certain military or other public sector inquiries, while others are more laissez-faire. The same is true of cloud providers: Some focus more heavily on data security and provide no-monitoring policies, while others access data for a variety of purposes. As a result, it is advisable to select a reputable provider that stores data within the nation in which you are practicing — presumably because you will be more familiar with the laws affecting the data in question, and therefore be better poised to respond to any related inquiries. While the United States has been criticized by a number of other developed nations for combining an arguably less consumer-focused data protection regulatory scheme with broader opportunities for government intrusion into privately operated networks, shifts in the regulatory landscape in the U.S. and abroad are certain to have a significant impact in the near future. As a result of these uncertainties, practitioners today must consider not just where the data are stored for purposes of the practice's compliance with law, but must also understand how the location, nationality and presence of the client (and his or her data) in a foreign jurisdiction could impact the obligations to the client. For example, the data of Massachusetts residents might be afforded certain additional protections even when handled outside of the state, and nationals of certain countries within the European Union might have standing to assert certain rights to how their data are transmitted and stored under supranational laws and even treaties with the United States (see the U.S. Safe Harbor program for more information). www.iltanet.org Risky Business 21