The cloud simplifies IT and offers a lot of value for companies. It can eliminate the need for rows and rows of on-premise servers and staff to manage them, providing elasticity to infrastructure and, for some companies, completely eliminating the need for that physical infrastructure.
The management ease of the cloud brings with it an explicit sense of trust. Companies that are customers of cloud providers (and especially their users) tend to implicitly trust the cloud because they believe that reliability and security are completely in the hands of the provider. For many, these concerns simply become “out of sight, out of mind.” (It’s similar to the way many people think of the Post Office. Once the letter or package is in the box, all is safe.) Few look closely at cloud provider terms and agreements, whether they are general users of iTunes and Facebook or companies racing to embrace the cloud.
Just ask yourself: "Who’s responsible for cloud security?" You, and virtually everyone else, will likely answer that the cloud provider (Microsoft, Amazon, etc.) is responsible. After all, it’s their cloud, right? But wait -- dig a little into the details, and you’ll find that’s not the case. In all major cloud provider contracts and agreements, there’s a little devil of a detail: The cloud provider is responsible only for infrastructure security of the cloud -- not for safeguarding the security, privacy or appropriate use of the data or information stored within it. And therein lies the rub.
In fact, cloud providers prefer to let their customers take responsibility for all such safeguards because it keeps the providers from being responsible -- or, worse yet, subpoenaed to reveal the data stored in their infrastructure. The agreements and service-level agreements (SLAs) for cloud providers zero in on performance, uptime and other infrastructure-oriented metrics. But it’s the customer who is ultimately responsible for the security of the data and who bears the brunt of any breach’s impact, regardless of the underlying technology used to store that data. This is evidenced by the punitive measures spelled out in such privacy regulations as the EU's General Data Protection Regulation (GDPR), which holds the company that collects and stores end-user data singularly responsible for data breaches, regardless of where or how the data is stored.
In a survey last year, Gartner (paywall) found that the No. 1 concern of security and risk management (SRM) leaders about the cloud was its “concentration” of risk and subsequent attractiveness to attackers. After all, think about the size of a possible heist -- all that valuable data that's conveniently contained in one place. Second, as an enterprise adopts cloud infrastructure, it relinquishes traditional borders. Clouds are designed to be open and to facilitate sharing. And finally, security professionals realize that the security inside cloud infrastructure lies largely out of their direct control. Standard approaches involve relying heavily on someone else to guard a company’s most important asset -- its data. That’s why so many private clouds exist and why some companies refuse to make the move to any cloud at all.
Now, don’t get me wrong. The cloud is fantastic. It’s a huge multiplier for companies, a massive driver of the current technology industry and part of a wave of simplification and automation that’s badly overdue. But as with anything so transformative, you have to take care that the velocity and excitement it creates does not rush you right past considering critical, basic business needs like security.
So what’s one to do?
First, take responsibility. As much as you may not like it, those detailed cloud agreements put the core responsibility for data in the right place: with the data owner. Don’t misunderstand: Cloud systems don’t get a free pass. They do share responsibility and need to be the most secure, monitored and even regulated of entities. But when you collect data from end-user customers and systems and share it, you are ultimately responsible. You are responsible for the data you collect and share, regardless of how it is stored or who stores it.
Because of this, the blame for any security breach is going to land squarely on your company, brand and revenue -- not on the cloud platform technology provider. And now, the stakes and consequences for such breaches are higher than ever. GDPR, which goes into effect May 25, will punish companies for data privacy breaches with fines up to €20 million or 4% of global revenues. The bigger you are, the more you will pay.
Second, it is time finally to let go of outdated perimeter security models when it comes to the modern collection, use and sharing of data. Information security needs to focus less on how data is stored, shared and walled off and more on the data itself. Data is vast, and like water, it’s fluid and constantly in motion. Putting containers, locks and traps around it is just impossible. The fundamental shift has to be toward securing the data itself rather than just the data storage mechanism.
This accounts for the growing tide and industry argument for data-centric security, where protection measures like modern encryption travel with the data itself or allows access and use without decrypting the data. (The vast majority of data breaches exploit gaps in encryption, where the data is simply in the clear and unprotected during a particular action.) With the data-centric approach, chain-of-custody problems and protection gaps don’t exist.
And finally, demand the best. You need to watch your vendors, ask questions, regularly audit and demand the highest levels of protection. Just like other consumers who vote with their feet when they don’t trust a vendor, so can you. But if you don’t take responsibility for your own data security, don’t expect a better result simply by swapping vendors.
