KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
What often gets overlooked in the conversation on cloud security is the subject of “deletability" of cloud data. During this session our expert panel explore the topic of whether cloud data that is “deleted” by an end-user is actually completely removed from the cloud? By end-user we mean the consumer and the cloud administrators.
What often gets overlooked in the conversation on cloud security is the subject of “deletability" of cloud data. During this session our expert panel explore the topic of whether cloud data that is “deleted” by an end-user is actually completely removed from the cloud? By end-user we mean the consumer and the cloud administrators.
Well, thank you taking that the time has advanced. I don't want to do that to the extent I had planned, but I wanna give some idea of how the regulation is currently structured need to destroy the, in the era of popular state and cloud. Certainly we have some legal frameworks that are worth looking at. We have the principle of data minimization, at least in Europe, a very large issue, the right to erasure and the right to be forgotten. That's not all not the same thing, but used as the same thing. Sometime we have the, the need to minimize data.
The article five, the GDPR tells us that we need principles relating to data quality, and it does mean data minimization that we should have fairly and lawfully way to work with our information to keep it accurate, keep it up to date where necessary and so on. So that's, again, something we know from current laws, then we have the right to erasure, right? To be forgotten.
Some people say article 17 of the GDPR it's roughly discussed well in relation to the social media, of course, but certainly it's part of our job when we think about getting rid of information and the need to destroy information, because the right to erasure is not an online law or anything. It is applicable to all data that we collect and gather in organizations.
So that's all I wanna say at this point of time, just to give it a little framework, there's slight differences between the right to be forgotten and, and the data minimization data minimization certainly is keep it low from the beginning, right. To be forgotten is as soon as you don't need anymore, please get rid of it. So that's a bit of the other side of the same metal, you know, do the, the, take, the fuse, the, the smallest approach in collecting information that you could have.
So having, you know, introduced those thoughts from the legal side. I think this shouldn't be too legal because it's really a business question how to deal with that. Maybe it would just give us impression on your thoughts on data minimization. Is it more difficult today to, to realize those rules or is it gonna be more easy in the future even? So I think it's fairly easy to do today. There are lots of ISO standards that have to deal with data minimization and best practices around that.
The technologies there, the question is, you know, I, I do believe in data minimization erase, here's a different story. You know, we could all wind up with a missing 12 minutes like Watergate, right? Where you just erase the tapes. And nobody knows what happens during those 12 minutes. And that 12 minutes was probably important, very important information that was never known, right. Because it was a gap in the, in the tapes. And it's just like, if you start to erase things out of your history, you know, then we have nowhere history, Right.
So sometimes it appears to be very easy, but is it something that you think to be easy for a whole organization to really get that exercise through all parts of a group? Or is that something that you would look at from one application to the next, I mean, You know, search engines and things, you know, have standards or we'll have standards for reducing, you know, the PRI taking care of privacy on, on the results and everything, but it's the data's still gonna be there.
It's just the results that get through the reduction through redaction or whatever process that you're gonna use to the end result, but you still have to, you know, I still don't believe in the ratio of, of data. That's been history. Okay. Thank you. So I'm going to take what Anthony said and turn it on its head just to be spicy, but, you know, so in this age where it feels like we are creating more data than ever before, Also that more organizations are collecting more on us than ever before. And in the cloud where data replicates, I think it's actually quite hard to do two things.
One is to minimize it and the other is to erase it. And I'm gonna use this example on the second one. So let's say I'm just gonna use the cloud based example because it feels like cloud is becoming our, our new reality, you know, where we, not just for day to day, but for business increasingly.
So, so let's say I'm a business user. And I ask for some instances, for some data B to be permanently removed, I will say that in many cases, what actually happens is it's just the end users connection to that data that's been severed. Okay. So I just wanted to throw that at there.
Just, Yeah. Well, that's an important point because it might be the case that in, in a certain situation you might be obliged to really kill the information and not just have the access not existing anymore. So that might be the legal issue behind it because the GDPR at times really asked for the data, be being thrown out the out of the window, if you want, and not just have no more access to it.
And, and beyond what, you know, legal frameworks require, there may be a need, you know, for, it may be sensitive. It may be data that falls at, at the scope of any regulation and it may need to be destroyed, you know? And in most cases, I will say that cloud providers, I'm now going to do a reversal on what I've just said, but, you know, cloud providers who are really reputable will do their very best to actually, you know, remove that data. Right. But trace elephant elements may still remain.
And if you've got a cloud provider that, you know, has replicated and has backups, and somehow they don't have that flow, I think one of our earliest speakers talked about the importance of having data flows. You know, they don't have that mapped out. It's not so easy. It's kind of take onsite.
The is, as you say, the issue is backups and, and replication. So give, when you adopt the public cloud, you need that resilience customers want their da their servers to be a hundred percent up time. Cloud providers will replicate that data. So they'll back it up. These go to very big data sites, very large storage, potentially housing, multiple customers' data, lots of different tenants on one page.
It's very hard to look at that and understand for historic data where this particular VMs data store actually is, and actually drill down and say, I've deleted this backup, this replicated image, this historic archive I've got. So Do you wanna go, Mike? Sure. I'm Mike Jones. I work on identity standards at Microsoft. I'll actually take the position that there's nothing particularly new here.
Yes, there are some new regulations and that those are good for individuals and possibly for society, but the need to build applications and business processes that comply with applicable laws is something that's always been true. So an example from the United States, there's regulations about not considering your financial history beyond seven years old.
So that, for instance, if you were irresponsible as a teenager in your twenties and you got yourself into debt and maybe went bankrupt after seven years, there's a grace period or a forgiveness that people are no longer allowed to consider your indiscretions in the past and evaluating your credit worthiness, or your status in the present. And there are exceptions to that. But so the fact that, you know, know the credit reporting agencies and the lending agencies and whatnot, whether they have the data somewhere legally, they may not use it.
And so I don't want to get into debates about whether you purge backup tapes. I think that's silly. They're going to exist. I helped restore 20 year old data off of tapes at Carnegie Mellon, where the first emoticon was posted and invented. And I just remembered that happening.
And I, you know, knew people at the Carnegie Mellon facilities and we pulled tapes out of cold storage and we figured out a way to read it. And we found this data that was 20 years old. That's always going to be possible via many things, but as humans and as business processes, we're still obligated to use data appropriately and the right to be forgotten or the right to not have past history held against you beyond a certain statute of limitations is very old. So you're saying there will be backups it's silly to discuss further. We will continue to have that. Yes.
And we'll still be able to be compliant that's right. And still be able to, well, save that individual that doesn't, we confronted with old information in short words. That's right.
So, you know, I'm sure that being in Google and the search engines, they didn't delete the data that right. To be forgotten requests yeah. Came in for, they just put a filter in front of it. Right. So that in jurisdictions where that law applies yeah. They're compliant with the law. Okay. Yeah.
So I mean, ISO is working on de de-identification standards for, for search engines. And so as, as Mike and others have said, it's disconnecting the identity from the data, that's there not destroying the data that exists. So if I understand, right, the technical solutions are eluting and we are getting better and better in interrupting that connection between an information and an individual. And that's in a way, a privacy measurement as a, as a privacy officer, how, how would you see that? Is that sufficient under the GDPR?
Or should there be more to it in order to come up with the appropriate actions? Okay. So I'm really not an expert on the GDPR. Yeah. So I'm going to not comment specifically on, on that, but I feel like a few things I agree with everything that's been said.
I think, you know, I, I definitely see that as being very true. I definitely feel like today we're increasingly more end user data is being handled in a much broader context that there needs to be a stronger focus on educating business users, on making on how to handle that data.
You know, I think that one of, you know, while not specifically related to the right to be forgotten, I increasingly see data being handled like candy. Okay. And it just surprises me in this day and age that I see it very exposed, you know, and that it feels to me like we just, haven't got the sort of stringent processes in place that I think is necessary to truly protect.
All right, individual's privacy. Am I getting this right?
I, I hear the two of you. I think kind of saying, don't worry about it. Service providers will take care of it in a way they have been doing it. They will do a bit more and, you know, stay, stay up to date and get those things done. And then you are saying, Hey, wait, it's the businesses that need to take care of it. And we need to educate the business, how they work with that existing information. So what's true. Both of it, what's, what's more the problem That we do have the tool sets to deal with it.
I guess what I'm saying is that some of the processes are not yet fully implemented and that what we have is today, if we look at the evolution of how data is being used, it's gone from being fundamentally static to being housed in repositories, where today we see more and more volumes of data being created, more personal data, being handled more broadly in the supply chain by more and more individuals and even machine to machine interactions. And it's really those that need to be addressed.
And not just, and so when I say business consumable, I'm also thinking that it from a service provider perspective, as well as the end business users. Okay. Right. Thank you. Going back to your question, I think we should, we should have the right to trust the provider. So the provider should take any all measurements to basically ensure that the data is removed, obviously when they decommission us high, that should, that should happen.
But I think from the, the customer's protective as well, they should, there's no reason that they shouldn't look to secure their data as well, just in the eventuality that there is a breach or that data, that data gets out there. They can have the confidence by taking that as an action for themselves to basically ensure that when, when they come to turn, while their VMs off in the public cloud, they know that their customer data's safe, any of their intellectual property safe. That's very customer friendly.
You know, me as a customer, I can expect that my service provider will take care of that issue for me. I just imagine I go into the cloud with all of my information and is that appropriate to ask my cloud service provider, to know which data is supposed to be there and which data is not supposed to be there anymore. And how shall he do that if maybe the one or the other cloud service provider doesn't even have access to that information? How can he classify that? I think the customer needs to classify it.
And the best way to do that is to basically take the approach that I'm going to encrypt all of my data that leaves the perimeter that I have full control on. As soon as soon as it's outside of my perimeter, I need to take action. I'm obligated to protect my guys. I can't rely on a provider to basically give me this perfect replication of my environment, but somewhere in the cloud. So unfortunately I will not be able to hand that over to my provider. I will have to do some, I, I think we'll need to Some Homework, I think, to be confident.
And I, I dunno if the rest of the panel agreement, I think we need to do the customer needs to do something I'd say, but there's thankfully there's obviously best practice out there and vendors that can obviously help the customer with that. So you think data classification is an important issue for discriminating. You were mentioned in Just, you know, building off, sorry, I've forgotten your name, Daniel, sorry, sorry.
Building of what Daniel said, you know, so one of the cloud providers that I have the pleasure of working with often, often talks about regulated data, just being dumped into their clouds. And, you know, so I do think to Anthony's Daniel's point that it is upon the encumbered upon businesses to, you know, at least classify what's most important to them to ensure and to, you know, work on SLAs that are appropriate for that sort of level of data where it's highly sensitive. And if it is going to be stored in public clouds.
And today we are very lucky, you know, cloud providers do have built community clouds around types of different, you know, that that help address that to some extent. Okay. I think it is important to make a distinction between services that store your data for you, but do not look at the data right. In any meaningful way, other than as a sequence of bites to store and retrieve, then possibly encrypt for you along the way, but they're not using your data.
They're storing your data versus services that the value that they add is they are looking at your data and providing services for you or about you. And that's where the regulations really apply and should apply. And that's where it's not that you necessarily will trust them because they're, you know, a great service, you have a minimum level of legal compliance that they have to provide when looking at your data or you can take them to court and possibly end their business. Probably.
Yeah, I agree. That context is so important.
You know, So when we are looking at the Shrems case and the major idea of that case was that a company didn't erase data appropriately, it was brought to court. Facebook had all the information still stored that Facebook wasn't supposed to have at the time because the user decided to, well not hold onto that information anymore. And he was very surprised to find out that the company still had that information. So you're saying it's not new that companies, service providers need to raise information. But when we see that case, I'm not sure whether in all cases, this is exercised appropriately.
And I think this is where we need to look. And I wonder how can all the various stakeholders realize that this is being safeguarded?
How, how can we have more transparency in that field that user can be sure, especially in those services that you were just mentioning the ones where data actually is being touched and used and, you know, provided which Facebook is an example Of, right? How can we, this is not, I'm not supposed to do any bashing against Facebook here, but you know, there's so many companies out there that have the same position. And obviously it's not that easy.
So how will users have, and companies accepting services, how will I have, how can they trust in the future and how can, can the different stakeholders work together in order to be sure that everything's done? I'll, I'll take the position again, that there's nothing new here. You will choose the companies that you do business with based on their reputation, which in part, some of their reputation is, are they friendly to their users or are they adversarial to their users? Are they providing good customer service or is it pulling teeth to get them to do what you want them to do?
And it's not easy to necessarily comply with the applicable privacy and data ization laws. It takes actual effort. And some companies will do a good job of that. And hopefully they get good reputations for it and some will not. And hopefully they get written up in the financial times, At least. Yes. So I think that's the use, that's the consumer facing side of things that they see, but there are the, yes, that's what I'm talking about, but there are the technical aspects like ISO 9,000 1 0 1, which is the, which is the data privacy principles, right?
And so you can get certified against those, but the end, user's not gonna know what the ISO number actually means. And so that will depend on the reputation, but there are ways technically that you can look at what they, you know, through various certifications that you can see what a, a company supports or not.
Okay, thank you. Just One, you know, one of the things that I think we're starting to see is that, you know, we are starting to see definitions of privacy change and evolve, you know, not just across generations and across different parts of the world, but, you know, say, I think people will actually end up having a very broad effect on this.
You know, we've, I think right now we're seeing perhaps, you know, with the max REMS, with snowed and other allegations that have come to four, that more end users are starting to wake up and starting to take an interest in this and starting to ask questions about how their data, and when I think about, you know, social engines, for example, any of them okay, that handle consumer data and that have used it, I'm going to, you know, just say from my own personal experience, when I signed up for Facebook, I didn't realize that I had a contract with them to give over my data. Okay.
And, you know, over time I started to watch with interest as clearly third party engines, you know, were looking at my, and somehow that was being correlated in Facebook and what Facebook was serving up. Now, I had a choice then as to whether to discontinue using Facebook or to keep using it. And I think many of us will decide, you know, based on the pros and cons. And you'll see that I think, you know, users will have a huge say in, I think defining how, you know, different social media companies like that, that touch consumer data will use it in the future.
I think we live in this very highly user empowered economy. And I think that that is very different to say 10 years ago. And it feels like obviously users are like, when you signed up to Facebook, how quickly did you find obviously the information where it said, obviously could take your data. I think most there's this different degree of use. Some will obviously take a service. The service providers, Facebook gives them, they can connect with their friends, their family. They typically may not even look at the Ts and CS.
So it's, it's understanding obviously what's gonna happen with that data. And I think, I think the media is obviously we're seeing more and more about data breaches and users are starting to obviously question, okay. Maybe putting my home videos on, on Dropbox.
Isn't, isn't the most sensible idea. So we're definitely starting to think about it more, but there's still quite a lot of education that needs to happen there. I think for people to obviously start questioning that before they just take a service out that obviously uses some sort of cloud, All right. I think that supporting user privacy and user control of their own data can be a competitive differentiator. And I'll give two examples. There's recently been a lot of press about a lawsuit between the us federal government and the apple computer corporation, right?
About whether to grant the federal government rights in a terrorist case to unlock the data in one of the suspect's iPhones and apple made a decision to contest that request and did so very publicly. I know that the Microsoft corporation and a number of others wrote letters of support agreeing with that position. And I know that apple believes that they'll sell more iPhones because they're trying to protect users, privacy, which, you know, good for them, nothing against. I also know that contrasting with the Facebook contract where you're agreeing to give them ownership of your data.
One of the things in Microsoft's privacy policies is that the data that we're storing for you is your data across the board. And if you don't want us to have it anymore, we will delete it. And if you want a copy of it, you can have it. And we think that that does differentiate many of our services from those that we may be competing against. And we may get more business because of that in some cases.
Well, thanks for bringing this up because I was gonna ask you to give a statement on that case as like your final as a final round to give out, to give an outlook on that, because it's not decided yet how, how this is gonna be. So thanks for bringing it up.
If you, we are almost running out of time. If you all maybe wanna comment on that apple case, I'd be really glad to hear what you think on it. Not from a Microsoft point of view, but from a, you know, personal point of view, I wouldn't have any issue with apple giving the, the keys away, right. To unlock it. I think that there are always error cases or exception cases that have to take a context into consideration.
And so I think, you know, this is one that might have turned out differently if they, they didn't get the, the information or it may have not turned out differently, but until you get that information, you don't know the answer. Right. And indeed there, there was probable cause to do a lawful search.
And so, and that's another law that we had that Point of view as well. Right. I think what we've seen is the tide of public opinion around privacy change. And I think that apple decision, or, you know, the way that that went really is a reflection of that. I think what we're going to see is how end user contracts around privacy are drawn up. There are several people, some in this room, I see emailer at the back and I saw Kala before, you know, who are doing a lot of work on user manage access. And I think some of that is going to be really prevalent in the future. Thank you.
I, I think I just ICO Anthony's comments from a, from a, an individual perspective. All right.
Well, thanks very much. I personally believe that cases like those will have more often, especially they will have a larger impact in the future because we'll have to watch the different decisions on it throughout the world. I think this case would have to be looked upon completely different if it was playing in Europe. And I think even though it might be surprising from a data protection point of view, I see the, the possibility very high that even European courts could support your opinion if there was rules to define the exemption.
I think that that is very important to understand that there might be exemptions, but we must be very clear on when should we have those and when should be the should, when should they be taking place? So I think this might be even more an issue in the future single cases like those and the right on truly the right on privacy. And if I sum up what you have brought up on, on stage today years then maybe less, it will be the question, whether we erase enough data, you seem to be all very cool on the razor of information.
And partly again that as well, it should be the responsibility of the companies even more in the future. And I think that also is something we have had in the past. So from that side, it's neither anything new, but still though, I think in single cases as the STRs case, we will be, we be seeing that we will have those court cases again, and it will be probably taking along a while before we find out what's the exemptions and which cases should have been the data erased earlier than it actually was done.
So well, thank you very much for being here to share your thoughts on that. It was a pleasure to have all of you here and well looking forward to seeing you around, enjoy your time at the IIC. Thanks a lot. Thank you very much. Thanks very much.
