CNIL (French Data Protection Authority) recommendations on the use of cloud computing services

On June 25, CNIL – the French Data Protection Authority – published its recommendation on the use of cloud computing services. This recommendation is the result of a research project on cloud issues, which started in the Fall of 2011 with a consultation with industry. The documents released by CNIL include a summary of the research and documents; a compilation of the responses received to the consultation, and a set of recommendations.

Below are a summary of the recommendations, provided by CSA’s General Counsel, Francoise Gilbert, and reproduced here from her blog with permission:

The recommendations includes:

  • Clearly identify the type of data and type of processing that will be in the cloud
  • Identify the security and legal requirements
  • Conduct a risk analysis to identify the needed security measures
  • Identify the type of cloud service that is adapted for the contemplated type of processing
  • Choose a provider that provides sufficient guarantees

The CNIL document also provides an outline of the contractual clauses that should be included in a cloud contract and contains “Model Clauses” that may be added to contracts for cloud services.  These model clauses are provided as a sample, are not mandatory, and can be changed or adapted to each specific contract.

Except for a high level summary in English, the documents described above are currently available only in French on the CNIL website.  According to CNIL representatives, English translations of these documents should be available shortly.

  • Overview of CNIL Recommendation – Summary in English:

  • Overview of CNIL Recommendation – Summary in French

  • Compilation of the responses to the CNIL consultation on cloud computing (in French)

  • Recommendation for companies wishing to use cloud services (in French)



Free Your Data & the Apps Will Follow – But what About Security?

About Author
Mark O’Neill is CTO of Vordel, a company which enables companies to connect to mobile and cloud

Application Programming Interfaces (API) represent such an important technology trend, that new business models are evolving on top of them, and this has led to the term “The API economy”. The API economy encompasses API developers, the businesses providing the APIs, the businesses hosting APIs and app developers. This growing API economy has resulted in a switch in the mindset of many organizations that are now making access to internal data readily available to third parties, enabling partners and customers to develop value-added applications on top of this data. As such, many organizations no longer hold information close, but actually are seeking to make it available for external developers to write apps on top of the data. While many organizations are naturally concerned about the security risks posed by opening up and sharing access to data and indeed how they can derive long-term revenues from new API-led business models, the good news is that these concerns are being addressed. In fact, if organizations are not prepared to play in the API economy, they run an even greater risk of being left behind. In this article we look at some of the security challenges APIs pose, and how these can be addressed to ensure organizations don’t miss out on the opportunities API offer.
The Organization is now the Platform

APIs thrive on data. Examples include shipping information APIs (shipping data), financial quote APIs (financial data), and geographic APIs (location data). The popular maxim around the API economy notes that if an organization is willing to free its data, the applications will follow.

This new paradigm shift driven by APIs has also impacted at board room level. CEOs now expect their CIOs and CTOs to be able to showcase iPhone and Android app versions of their latest service offerings. However rather than asking “why are we not building iPhone applications,” the CEO should be asking, “why aren’t we allowing others to write iPhone applications on top of our data?” In other words, the goal of the organization should be to become a transparent platform for serving up data to third parties who can develop mobile apps on top of this platform. This means that the business effectively becomes a platform. For example, if a Financial Services company provides APIs enabling any developer to write the application, then it becomes a platform itself.





Secure API Delivery

So we’ve seen how APIs enable enterprises to deliver business services via Cloud, mobile, and partner channels quickly and flexibly. Enterprises need an agile API Server platform to ensure quick time-to-market with new business services. APIs handle critical business transactions and often have direct impact on customer interactions and business’s ability to execute. Poor API security and performance can result in lost sales, missed opportunities and inability to deliver. Every API requires a supporting infrastructure to make sure the APIs are properly managed, delivered, and secured.


Strong security is also essential as organizations need to monitor any suspicious usage of APIs in order that their APIs can be safely deployed, without compromising the data. Critical business functions such as ordering, fulfilment and payment are conducted via APIs. Attacks on these business critical services can result in loss of revenue and sensitive data. On the one hand, “enemy fire” attacks and exploits are becoming more sophisticated and organized, while on the other hand, the proliferation of API clients is subjecting APIs to increased levels of “friendly fire” from poorly engineered or malfunctioning clients. Organizations need to protect their APIs from both enemy and friendly fire alike.

Protect APIs Against Enemy and Friendly Fire

Threats that organizations need to consider protecting their enterprises against include such all common attacks as outlined in the NIST SP800-95 document “Common Attacks Against Web Services”[i] which include:

  • Denial of service attacks
  • Command injection attacks
  • Malicious code, virus
  • Sniffing
  • Spoofing, tampering, and impersonation
  • Data harvesting
  • Privilege escalation
  • Reconnaissance

The increase in both number and variety of API clients can also lead to a larger number of poorly engineered clients, as well as an increase in incidents of client malfunction. A misbehaving client repeatedly sending requests can cause as much damage as a denial-of-service attack. Organizations need to protect their APIs from potential “friendly fire” by monitoring API call volume and client behaviours. Clients exhibiting disruptive behaviours can be blocked or throttled.


APIs are increasingly being exposed to larger and more diverse populations of developers and applications. With this increased exposure, comes inevitably increased levels of operational and security risks. To guarantee good availability and user experience; IT must have security, control and monitoring capabilities as part of its API delivery platform. Having an API Server to manage, deliver and secure APIs is central to any coherent API strategy.


Outline of BCR for Processors Published by Article 29 Working Party (EU)

On June 19th, the Article 29 Working Party, which is composed of Data Protection Authorities from the member states of the European Union, released an important opinion on the use of a legal means to move personal data outside of the border of the EU, called Binding Corporate Rules (BCRs). The guidelines apply to data processors. This has implications for cloud computing in Europe. The following blog entry on the Working Party’s opinion was written by the external legal counsel of the CSA, Ms. Francoise Gilbert of the IT Law Group. We repost it here with her permission.

Outline of BCR for Processors Published by Article 29 Working Party

Posted by fgilbert on June 20th, 2012

On June 19, 2012, the Article 29 Working Party adopted a Working Paper (WP 195) on Binding Corporate Rules (BCR) for processors, to allow companies acting as data processors to use BCR in the context of transborder transfers of personal data, such as in the case of cloud computing and outsourcing.

WP 195 includes a full checklist of the requirements for BCR for Processors and is designed both for companies and for data protection authorities.  The document provides a checklist outlining the conditions to be met in order to facilitate the use of BCR for processors, and the information to be found in the applications for approval of BCR to be presented in the application filed with the Data Protection Authorities.