For many years, security has been the number one concern of any CTO considering Cloud services. Although 47% of IT security personnel feel they are “forced” to believe in Cloud security, 65% believe that Cloud services are more secure than their own on-premises solutions.
Years of experience suggest that Cloud security claims are true. Breaches have happened, but far less frequently than is the case with on-premise systems.
Global Cloud security spend is expected to reach $11.8 billion by 2022, indicating that businesses are investing significantly to protect their hosted assets.
Data sovereignty – a bigger issue?
Although CTOs realise the dangers presented by cybercriminals, there are other factors to consider. The globally distributed nature of Cloud data centres is hugely useful for system availability but can also present a potentially massive problem.
Data sovereignty – the question of who owns and accesses data across national boundaries – is increasingly important as global political alliances continue to shift. Consider the collapse of the Safe Harbor agreement and the problems that caused for businesses holding data in US-based Cloud services; unable to transfer data outside the EU, these providers could have been left unable to give customers the service they expected.
Fortunately legislators were able to formulate a suitable alternative – the Privacy Shield – allowing US Cloud providers to resume normal service.
This impasse raised an important question however – what happens in cases of disputed sovereignty?
With the triggering of Brexit, general political instability and the threat of war in Syria and North Korea, the reality of loss of access to information in an off-site data centre is a genuine risk. And if valuable corporate data is left unrecoverable in a potentially hostile nation state, businesses may find themselves in a very difficult, compromising situation.
Data ownership and consumer-grade Cloud services
Equally concerning is your users’ persistent use of unauthorised consumer-grade Cloud services. The average global enterprise uses over 1100 Cloud applications – but just 14% of them are officially sanctioned.
How much data is being stored off-site, and how it is protected, remains a complete mystery. Which leaves the business exposed to all manner of risks.
There is also the question of end user license agreements. Consider the Google Terms of Service:
“When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services”
Clearly these wide-ranging rights that continue even after you stop using their services, are concerning – particularly if your users have uploaded NDA-protected content into Google’s services.
Choosing Cloud services wisely
Faced with the dual challenge of data sovereignty and ownership, the CTO must choose Cloud services wisely. For maximum protection against international data restrictions it makes sense to choose a provider who uses a network of on-shore data centres to prevent international information transfer. This reduces the risk of losing access – or handing access to unfriendly foreign governments.
When it comes to employee use of unsanctioned Cloud services, you will need to take a multidisciplinary approach. First, audit the services in use and assess compatibility with your data protection requirements. Those that fail will need to be replaced by a sanctioned alternative.
Second, you must work with HR to develop a training program, helping employees become more aware of the risks posed by using Cloud services that have not been approved. This may need to be complemented by a robust disciplinary procedure for breaches of the corporate data security framework.
The Cloud is not going to go away – but how your business uses it needs to be strengthened. For more help and advice, please get in touch with the Getronics Managed Cloud team.