While cloud applications have demonstrated their ability to increase enterprise productivity, IT security executives currently face a tough balancing act to ensure that sensitive information remains protected, while the business continues to progressively adopt cloud applications.
On-premise applications are now a thing of the past, and since those days, the rulebook has changed. Organisations now rarely have physical access to their data storage, which means itโs vital fundamental questions are asked and teams understand who needs to take responsibility for security.
You might ask:
Whoโs really responsible for my data?
The short answer is: you are. As the data owner, itโs your responsibility, not that of the Cloud Service Provider (CSP), to secure your data.
The EUโs General Data Protection Regulation mandates that in the event of a data breach, enterprises will be held directly accountable, and will not be able to shift the blame onto the cloud provider which holds the information.
[easy-tweet tweet=”The data you have stored in the cloud resides in a physical location” hashtags=”Data, Cloud”]
Whereโs my data?
The data you have stored in the cloud resides in a physical location. So when setting up and managing your storage, make sure you discuss with your Cloud Service Provider which country, or countries your data will reside in. Be aware that the requirements and controls placed on access differ from country to country.
Regulations like Privacy Shield have the potential to pose a significant issue to companies looking to use of cloud services in different jurisdictions. If your cloud provider stores your information outside the EEA for example, the data protection policies may be less stringent. Should a data breach occur it is you who would be held accountable.
Who has access to my data and my code?
Insider attacks present a huge risk. A potential hacker could easily be someone with approved access to the cloud. Additionally, more advanced users might have access to encryption keys for data that they might not have approval to view. You need to know whoโs managing your data and the types of security controls and access management protocol applied to these individuals and their network accounts.
A key element which is worth putting some thought into here is the encryption of data, both in transition, and at rest. Data encryption is an effective way to maintain compliance with regulatory programmes and youโll need to be able to answer questions such as, โwho has the keysโ, โwhen was it encrypted fromโ, โwho encrypted itโ and โwhen does the encryption expireโ.
What is the current maturity and long-term viability of my chosen CSP?
How long have they been in business? Whatโs their track record? Are they operationally effective and secure? If they go out of business, what happens to your data?
Naturally, data confidentiality within cloud services is a fundamental concern: you need to be confident that only authorised users have access to your data. Here, we must stress again that, as a data owner, you are fully responsible for compliance โ itโs up to you, not the CSP, to secure valuable data. Public cloud computing asks you to exert control, without ownership of the infrastructure, in order to secure your information through a combination of:
- Encryption
- Contracts with service-level agreements
- By (contractually) imposing minimum security standards on your provider.
What happens if thereโs a security breach?
What support will you receive from the provider? While many businesses claim to be hack-proof, cloud-based services are an attractive target to determined hackers. BT has in place established policies and procedures that ensure the timely and thorough management of incidents according to priority. For example:
- BT Contractors, employees and third-party users have a responsibility to report all information security events in a timely manner.
- Every event is reported promptly either through the BT Cloud Compute Service Desk or the Portal in compliance with statutory, regulatory and contractual requirements.
What is the disaster recovery/business continuity plan?
Remember your data is physically located somewhere, and all physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, you need to find out how your cloud provider will respond, which protocols it has in place, and what kind of guarantee it offers to continue services.
Successful business continuity depends not only on the CSPโs provision of the IaaS, but on the timely recovery of your data, which is ultimately your responsibility to ensure.
Luke Beeson, Vice President, Security UK and Continental Europe at BT. Passionate about securing technology in support of a safer connected world. Currently running BT's Security business for UK multinational companies. Using experience of running BT's Cyber Defence and Physical Security Operations to help customers scope enterprise wide managed security services from simple network security device management to complex cyber defence solutions.