Data Security and Loss of Control Killing Cloud?

Uploaded on 2015-06-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Data security and loss of control killing cloud?

A recent poll shows that, despite booming cloud adoption rates, concerns over data security and privacy persist.

Hang on, that’s the same as every other poll I’ve read over the last 5 years.
What’s different about this is that attitudes seem to have hardened. The Cloud Industry Forum (disclosure – I chair their code of practice board) asked 250 senior IT managers and business decision-makers from both the public and private sectors in the UK. 70% were concerned about data security and 61% were concerned about data privacy compared to 61% and 54% respectively in last year’s poll. The exact numbers fluctuate but concerns over data remain consistent.

It’s hardly surprising when you have a constant stream of stories about the latest organisation to fall victim of a security breach / hack. And there is the ever present backdrop of the Snowden revelations and the US and UK government reviewing their approach to surveillance, while not forgoing any of their powers. Not forgetting the EU Commission’s push to get the new General Data Protection Regulation finalised later this year.

The notion that cloud is inherently insecure is absurd
But the notion that cloud is inherently insecure is as absurd as the one that on-premise is inherently secure. Data is only as secure as the measures adopted to ensure it is secure. If you have taken steps to protect your data on-premise then you would expect at least that in a cloud environment. If you haven't, then your data might be more secure in cloud.

Loss of control

From my perspective, what is more interesting is that there has been a marked increase in those worried about losing control/manageability of their IT, up from 24% last year to 40% now. It’s true that public cloud is often sold on the Henry Ford model — any customer can have our public cloud as long as it is exactly what we already sell with all the SLA and liability exclusions. I have advised clients privately and written and presented publicly on this topic. Summary: public cloud is great, but you need to go into it with your eyes open and be aware of the risks.

Equally, that suggests that some people believe the only cloud on offer is public cloud. Of course, no one really uses the NIST definitions (did they ever?) and consequently the term “cloud” doesn’t mean the same to everyone. If public cloud doesn’t do it for you, then you should consider private or hybrid cloud. These are customisable for the customer allowing them to build in the controls they need. And, of course I should point out that the Cloud Industry Forum (see earlier disclosure) code of practice advocates transparency, capability and accountability.

Are customers lazy?

In my experience, data security and, specifically, data protection laws are used as a lazy way of not making a decision that will lead to change. Sometimes this is to protect a large established on-premise IT team and the kudos and budget that goes with it. Sometimes it is a specious understanding of what the law says: yes it says be careful how and where you store your data but, no, as a general rule it doesn’t say you can’t move data outside the UK / Germany / EU / EEA / into a cloud.

If you want something you need to identify clearly what it is you want and your budget for it. Everyone knows that a Smart car and a Rolls Royce perform the same basic function of getting you from A to B but they have wildly different specifications. No one paying for a Smart car truly believes they are actually getting a Rolls Royce and vice versa. In cloud, as in life, you get what you pay for: if you want more, you generally have to pay more.

Frank Jennings is Cloud & Commercial Lawyer at Wallace LLP:  http://ow.ly/ORFh6

 

« US spied on French presidents
NSA Chief: Don’t Assume China Hacked OPM »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Datiphy

Datiphy

Datiphy's data-centric security platform uses behavioral analytics, and data-centric auditing and protection capabilities to mitigate risk.

IAC

IAC

IAC is a specialist Irecruitment consultancy covering Internal Audit, Risk, Controls, Governance, IT Audit, and Cyber Security roles.

Wipro

Wipro

Wipro Limited is a leading global information technology, consulting and business process services company.

Randori

Randori

Randori is an attack platform that provides "red-teaming" as a service - basically, staging simulated hack attacks to test for vulnerabilities and gaps in the security response.

2Keys

2Keys

2Keys designs, deploys and operates Digital Identity Platforms and Cyber Security Platforms through Managed Service and Professional Service engagements.

ProSearch Partners

ProSearch Partners

ProSearch Partners are national talent acquisition specialists exclusively focussing on Technology and Digital talent including Cybersecurity, Data Analytics and Execs.

Cyber Management Alliance

Cyber Management Alliance

Cyber Management Alliance is closing the divide in cyberspace by bringing together the best qualities of thought leadership and operational mastery of cyber security management.

Magna5

Magna5

Magna5 is a managed IT service provider focusing in network and server monitoring, backup and disaster recovery, cybersecurity, help desk and SD-WAN.

Bright Pixel Capital

Bright Pixel Capital

Bright Pixel Capital is a venture capital company with a focus on Cybersecurity, Retail Technologies, Digital Infrastructure and Emerging Technologies.

KCS Group Europe

KCS Group Europe

KCS Group helps its clients to identify and deal with any risks, weaknesses and threats which could impact on the business financially or reputationally.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.

Assetnote

Assetnote

The Assetnote platform enables organizations to effectively map and continuously monitor their external attack surface.

BARR Advisory

BARR Advisory

At BARR Advisory, we build trust through cyber resilience. We help protect the world’s data, people, and information networks through a human-first approach to cybersecurity and compliance.

Strategic Security Solutions (S3)

Strategic Security Solutions (S3)

S3 is a leading provider of Cybersecurity consulting services for Identity and Access Governance (IAG), Zero Trust, and Enterprise Risk and Compliance.

Airbus Protect

Airbus Protect

Airbus Protect is an Airbus subsidiary bringing together the Company’s expertise in cybersecurity, safety and sustainability-related services.