Why data security in the cloud is your responsibility
Concerns about data security have always been one of the key inhibitors for the take-up of cloud – yet its rapid growth in the last year suggests that such fears now are being overcome.
In many cases, they were overstated and were more about overall supplier risk management, which relies on the supplier’s financial security and terms of contract. With appropriate due diligence cloud can actually provide improved data security, because most cloud service providers will implement and manage considerably better IT security controls than internal IT departments.
There are three reasons for this. Firstly, ensuring good security is vital to the success and wellbeing of the cloud provider’s business; most reputable firms hold and maintain ISO 27000 best practice information security certifications. Many cloud providers also host data from the public sector and regulated industries, which require them to gain separate pan-government security accreditations and to be regularly security tested by independent, government approved security testers in order to maintain them. Finally, cloud providers can afford the best security technologies and the staff to maintain and update them.
Using cloud to deliver a virtualised desktop environment also has another security advantage: no data ever leaves the data centre unless the organisation’s security policy specifically allows mapping of local drives, USB memory sticks or other external storage. However, trusting your data to the cloud does not mean that your organisation can simply hand over all responsibility to its chosen cloud provider. You need to ensure that the service provider delivers the appropriate levels of information security and measure, audit the supplier yourself to ensure that the relevant security is applied and manage it as they would for every corporate risk.
First, you need to evaluate your potential supplier’s financial security and terms of contract, as you would when buying any other service, and seek out independent verification of their capabilities.
Second, and before moving any data to the cloud, ask your potential cloud service provider:
- Who is the ultimate holder of my data?
- Where is my data held? This may be particularly important if your organisation needs to comply with Safe Harbour principles on the protection of personal data. Be aware that your cloud provider has to tell you where they will be storing your data. It is important to ensure it is stored in a jurisdiction that has the correct safeguards in place and does not contravene the Data Protection Act.
- Do you operate good processes and can you prove it?
- What specific security standards and levels of security are you applying to my data?
- How can you guarantee that no-one else can get access to my data unless I specifically want them to?
One organisation for which data security is paramount is a logistics company handling and storing high value items. Rather than managing their own data security, they now use a managed cloud service from Fordway which provides their specialised applications to virtualised desktops. Data is held safely in the cloud, and users cannot store confidential data on their desktops. They have 24x7 monitoring and support and a fully managed DR service, with data snapshotted and replicated to the company’s backup site so it can be restored quickly if required.
The risks of getting it wrong
The risks of a data security breach will differ for each organisation. For some, the risk is primarily the loss of sensitive corporate data, which could have serious financial and operational implications. A survey by PwC for the Department of Business, Industry and Skills found that the average cost of a security breach is £1.46m - £3.14m for a large organisation and £75k - £311k for a small business.
For companies developing innovative new products, the risks can be even greater. Commercial espionage is not merely idle speculation by IT companies keen to sell the latest security products. In a speech last year GCHQ director general for cyber security Ciaran Martin noted that intellectual property is valuable as never before, and referred to an “astonishing” level of cyber attacks on UK industry sponsored by other states.
Organisations also have to meet ever-stricter statutory compliance and governance obligations, such as the Sarbanes-Oxley Act, the PCI (Payment Card Industry) directive and in the UK the Data Protection Act. If they which breach regulatory requirements for handling sensitive customer data they will both reduce customer confidence and can be fined by the relevant authorities. The Data Protection Act is rigorously enforced by the ICO, which has the power to issue penalty notices of up to £500,000 for serious breaches of the Act. There are also plans for a new General Data Protection Regulation which could see businesses fined up to 4% of their annual global turnover for breaching new EU data protection laws.
Data security, then, is not something to be taken lightly. However, the cloud offers significant advantages over in-house data storage provided that organisations take the appropriate precautions before choosing a cloud service. Evaluate your potential supplier carefully, ensure that you know exactly where your data will be held and what security processes and standards will be applied, and continue to audit your supplier regularly to ensure standards are maintained.
- » Microsoft secures ISO 27017 security certification around cloud-specific threats
- » On a wing and a prayer: How to really make your DevOps practices soar
- » Why CIOs need to be strong in picking a cloud strategy – and sticking to it
- » Research suggests “tactical rather than strategic” cloud adoption in ASEAN
- » Six key benefits of cloud computing in the healthcare industry