Who is ultimately responsible for data security in the cloud?
A recent report following Infosecurity Europe 2014 suggested that 43 per cent of organisations had no enterprise visibility or control into whether employees were putting sensitive data into the cloud. Furthermore, a new survey has shown that almost half of firms say they already, or plan to, run their company from the cloud. Both of these findings clearly demonstrate just how integral the cloud is becoming to businesses.
With increased reliance on cloud computing and so much data being entrusted to it, the question must be asked: how do cloud providers ensure that business data is secure and where does responsibility for data security ultimately lie?
It is important to first consider who would be to blame for a data breach should one occur. While it could be the cloud service provider, it could just as likely be the company that has not fully researched the security procedures in place before opting to put confidential data into the cloud. It is essential for companies to act on due diligence, although even those taking reasonable precautions will not stop the most resourceful of attackers.
Ensuring data security within the cloud
Cloud providers are keen to impress that the data businesses store in the cloud is secure. Verifying data integrity and availability are the best understood methods of doing so, while user authentication and granular access control are still not very well developed. Software assurance, meanwhile, is still in its infancy as was witnessed during the impact of the Heartbleed bug.
Entrusting the cloud with confidential data does not necessarily decrease a company’s security strength, but it very much depends on the company and the sector it operates in. For some, perhaps most, it is better to buy cloud storage solutions off-the-shelf because the expertise to create a better solution simply isn’t available in-house. This doesn’t mean that each company shouldn’t do its own risk assessment first though, of course.
In terms of identifying the most effective method for a company and its cloud provider to ensure data is secure together, there is no panacea. Setting clear expectations and goals is important and key questions should be considered, for example: Where is the data going to be stored and under what jurisdiction? How is it going to be secured? What are the likely threats and how will these be mitigated? Who is responsible for what aspects of the operation? These and other questions should be answered in the form of a comprehensive services contract before agreeing to work with a cloud provider.
The need for enhanced cloud education
As we ourselves explored at Infosecurity Europe 2014, more education is needed regarding the cloud and companies should seek advice in order to understand the processes involved in ensuring data is secured effectively.
The IT security industry has been doing a pretty good job explaining the existing risks and solutions to individuals, but to inform and educate businesses and Governments is a much taller order. At Bitdefender, we believe the training and skills development programme provided by ITU-IMPACT is very useful, not just for critical infrastructure industries but also as a template that could be replicated throughout the rest of the private sector.
The worst thing that we can do is to let criminals do the educating for us. Pain is a good teacher, but it can also be crippling. Industry and trade associations have a big role to play here, as does the Government.