When is data best stored in the cloud? When is it best-stored on-premise?
There are some considerations when it comes to deciding where data must reside.
In general, organisations are inclined to store sensitive or personally identifiable information (PII), such as financial or customer data on-premises where they have complete control. This is especially true when access to the data is primarily sought by internal employees or contractors.
On the other hand, data that is used by external parties, such as business partners or vendors, can be stored externally in the cloud to improve access to information and cross-company collaboration. However, as new security tools and approaches become available, the decision to store information on-premises or in the cloud can come down to the availability and cost of storage. Many organisations today are rapidly moving data storage to the cloud to take advantage of the improved user experience and the significant cost savings that weren’t possible with traditional, on-premises storage solutions.
What are the legal issues around storing data, whether it is on-premise or in the cloud? What is the current situation in the UK?
In most respects, the legal issues around whether data is stored on-premises or in the cloud are similar. There are specific requirements that must be addressed in both cases, such as governing who has access to information, where it is physically stored – including country or region requirements – and whether it must be encrypted ‘at rest’ and ‘in transit’.
However, there are additional implications for data stored in the cloud. For instance, organisations must be ready to validate the security and data protection controls put in place by the third-party hosting the data. The organisation will be required to show that any sensitive data residing in the cloud is protected to the degree required by law, especially with GDPR just around the corner.
Another important legal aspect of storing data in the cloud is drafting the appropriate security requirements and service level agreements with third party cloud vendors. It’s important all parties understand and agree to the specific safeguards which will be used and how the third-party will respond if any inappropriate activity is detected.
How will things change when it comes to data storage on the cloud/on-premise when GDPR comes into force?
Specifically, with GDPR on the horizon, many organisations will require a considerable shift in their thinking and their IT business support systems as the focus on the protection of personally identifiable information (PII) is magnified.
The number one issue for organisations will be accurately identifying where PII data is stored. Once an organisation has a handle on the location of data, it can implement the required legal oversight and controls for each location, or move the data to a location that meets the minimum requirements for GDPR.
[easy-tweet tweet=”Embedding privacy early in the design process of systems ensures a holistic view of data” hashtags=”Data, Cloud”]
GDPR legislation specifically introduces the idea of ‘privacy by design’ which means all new cloud and on-premises systems must be architected to ensure private and personal data compliance at the start and end of all business or service process.
Embedding privacy early on in the design process of systems ensures enterprises have a holistic view of what data they have, its availability, who can process it and who has access to it. This means governing access in a sustainable, consistent and auditable way.
The reality is, privacy by design and securing PII is no longer merely a desire but is set to become a legal mandate.
It’s critical that any business subject to GDPR takes steps to understand the legal issues around storing data and how to implement the relevant controls and best support its obligations. Failure to do so will result in heavy financial fines and put the organisation’s reputation at risk in the longer term.
What are the drivers for putting data either in the cloud or on-premise?
The main drivers are the availability of the data, storage costs and security. Understanding the trade-offs between these three areas is how the organisation will ultimately decide where data can and should be stored.
What is likely to change in the next 12-18 months concerning data storage for organisations? What should be on their radar and why?
Over the next few years, more organisations will look at cloud-based storage options – that’s a given. As cloud solutions seek to address security permutations, enhance productivity gains and save on the corporate wallet, organisations will begin to seriously consider migrating data to this platform as the benefits significantly outweigh the risks.
Transition to cloud-based applications and business productivity platforms such as Office365 are also driving this transition. As more and more data starts out in the cloud, leveraging cloud-based storage solutions tied to these applications and platforms will become the default option for many organisations moving forward.
It’s a careful balancing act that Paul Trulove has perfected in his years at SailPoint – understanding clients’ critical needs today and anticipating the issues they’ll face tomorrow, and then making sure SailPoint’s products address both. As vice president of product management, Paul leads product strategy and is responsible for setting the vision for SailPoint’s market-leading identity and access management (IAM) products including IdentityIQ, IdentityNow and SecurityIQ.
Prior to being named vice president of product management, Paul was SailPoint’s director of product marketing, driving the product strategy, roadmap and messaging for IdentityIQ. In that role, he worked closely with customers to define innovative solutions addressing a wide range of market needs. He also played a key part in taking SailPoint from its early days as a pioneer in identity governance to a leader in provisioning and, most recently, to embracing new delivery models for IAM as the company delivered its first enterprise-ready SaaS solution.
It’s all part of a market-driven view that’s at the heart of SailPoint’s culture, and one that has been part of Paul’s way of thinking throughout his career. Prior to joining SailPoint in 2007, he led strategic product initiatives at Newgistics, including launching a variety of new products and services. Paul has also held marketing and sales positions for a variety of technology enterprises, including Sabre, Inc. and Pervasive Software.