Data Security and Loss of Control Killing Cloud?

Uploaded on 2015-06-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Data security and loss of control killing cloud?

A recent poll shows that, despite booming cloud adoption rates, concerns over data security and privacy persist.

Hang on, that’s the same as every other poll I’ve read over the last 5 years.
What’s different about this is that attitudes seem to have hardened. The Cloud Industry Forum (disclosure – I chair their code of practice board) asked 250 senior IT managers and business decision-makers from both the public and private sectors in the UK. 70% were concerned about data security and 61% were concerned about data privacy compared to 61% and 54% respectively in last year’s poll. The exact numbers fluctuate but concerns over data remain consistent.

It’s hardly surprising when you have a constant stream of stories about the latest organisation to fall victim of a security breach / hack. And there is the ever present backdrop of the Snowden revelations and the US and UK government reviewing their approach to surveillance, while not forgoing any of their powers. Not forgetting the EU Commission’s push to get the new General Data Protection Regulation finalised later this year.

The notion that cloud is inherently insecure is absurd
But the notion that cloud is inherently insecure is as absurd as the one that on-premise is inherently secure. Data is only as secure as the measures adopted to ensure it is secure. If you have taken steps to protect your data on-premise then you would expect at least that in a cloud environment. If you haven't, then your data might be more secure in cloud.

Loss of control

From my perspective, what is more interesting is that there has been a marked increase in those worried about losing control/manageability of their IT, up from 24% last year to 40% now. It’s true that public cloud is often sold on the Henry Ford model — any customer can have our public cloud as long as it is exactly what we already sell with all the SLA and liability exclusions. I have advised clients privately and written and presented publicly on this topic. Summary: public cloud is great, but you need to go into it with your eyes open and be aware of the risks.

Equally, that suggests that some people believe the only cloud on offer is public cloud. Of course, no one really uses the NIST definitions (did they ever?) and consequently the term “cloud” doesn’t mean the same to everyone. If public cloud doesn’t do it for you, then you should consider private or hybrid cloud. These are customisable for the customer allowing them to build in the controls they need. And, of course I should point out that the Cloud Industry Forum (see earlier disclosure) code of practice advocates transparency, capability and accountability.

Are customers lazy?

In my experience, data security and, specifically, data protection laws are used as a lazy way of not making a decision that will lead to change. Sometimes this is to protect a large established on-premise IT team and the kudos and budget that goes with it. Sometimes it is a specious understanding of what the law says: yes it says be careful how and where you store your data but, no, as a general rule it doesn’t say you can’t move data outside the UK / Germany / EU / EEA / into a cloud.

If you want something you need to identify clearly what it is you want and your budget for it. Everyone knows that a Smart car and a Rolls Royce perform the same basic function of getting you from A to B but they have wildly different specifications. No one paying for a Smart car truly believes they are actually getting a Rolls Royce and vice versa. In cloud, as in life, you get what you pay for: if you want more, you generally have to pay more.

Frank Jennings is Cloud & Commercial Lawyer at Wallace LLP:  http://ow.ly/ORFh6

 

« US spied on French presidents
NSA Chief: Don’t Assume China Hacked OPM »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Solarflare

Solarflare

Solarflare is a leading provider of intelligent networking I/O software and hardware platforms that accelerate, monitor and secure network data.

Cyber Exec

Cyber Exec

Cyber Exec is an executive search firm dedicated to global talent acquisition in Cyber Security, Information Technology, Defense...

Netsafe

Netsafe

Netsafe is an independent, non-profit New Zealand organisation focused on online safety. We help people stay safe online by providing online safety education, advice and support.

4Stop

4Stop

4Stop is a global KYC, compliance and anti-fraud risk management company.

ZeroNorth

ZeroNorth

ZeroNorth provides a new approach to improve software and infrastructure security, simplify continuous compliance reporting and to create more cost-effective risk management programs.

Luxembourg Office of Accreditation & Surveillance (OLAS)

Luxembourg Office of Accreditation & Surveillance (OLAS)

OLAS is the national accreditation body for Luxembourg. The directory of members provides details of organisations offering certification services for ISO 27001.

IoT M2M Council (IMC)

IoT M2M Council (IMC)

The IMC is the largest and fastest-growing trade organisation in the IoT/M2M sector.

TrustMAPP

TrustMAPP

TrustMAPP automates cybersecurity & privacy assessments, with universal workflow, allowing teams to generate analytics and recommendations to align priorities for improvement.

Fortiphyd Logic

Fortiphyd Logic

Fortiphyd Logic equips operators of the power grid, oil & gas, and other critical infrastructure with the tools and training they need to defend their industrial networks from advanced cyberattacks.

M2MD Technologies

M2MD Technologies

M2MD Technologies offers solutions optimized for cellular IoT that provide stronger security, reduced costs, enhanced user experience, and ultimately generates higher returns for stakeholders.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

Third Wave Innovations

Third Wave Innovations

Third Wave Innovations (formerly RCS Secure) offers a full spectrum of cybersecurity safeguards and IT services.

L&T Technology Services (LTTS)

L&T Technology Services (LTTS)

L&T Technology Services Limited (LTTS) is a global leader in Engineering and R&D (ER&D) services.

DataGuard

DataGuard

DataGuard is a security and compliance software company trusted by organisations across the globe.

Tyto Athene

Tyto Athene

At Tyto Athene, we harness the power of technology to provide solutions that shape the future.