Achieving Regulatory Compliance for Data Protection in the Cloud

The advent of cloud computing has enabled organizations to take advantage of cost-effective, scalable and reliable computing platforms. However, entrusting data hosting to third parties has inherent risks. Where the data in question can be used to identify living individuals in the UK, the Data Protection Act 1998 (DPA) must be adhered to. In this case, adequate security controls must be in place to ensure privacy of the data. Transgressions may be met with severe penalties. This paper outlines the data controller's obligations under the DPA and, with respect to cloud computing, presents solutions for possible encryption schemes. Using traditional encryption can lead to key management challenges and limit the type of processing which the cloud service can fulfill. Improving on this, the evolving area of homomorphic encryption is presented which promises to enable useful processing of data whilst it is encrypted. Current approaches in this field have limited scope and an impractical processing overhead. We conclude that organizations must thoroughly evaluate and manage the risks associated with processing personal data in the cloud.