Data Security and Loss of Control Killing Cloud?

A recent poll shows that, despite booming cloud adoption rates, concerns over data security and privacy persist.

Hang on, that’s the same as every other poll I’ve read over the last 5 years.
What’s different about this is that attitudes seem to have hardened. The Cloud Industry Forum (disclosure – I chair their code of practice board) asked 250 senior IT managers and business decision-makers from both the public and private sectors in the UK. 70% were concerned about data security and 61% were concerned about data privacy compared to 61% and 54% respectively in last year’s poll. The exact numbers fluctuate but concerns over data remain consistent.

It’s hardly surprising when you have a constant stream of stories about the latest organisation to fall victim of a security breach / hack. And there is the ever present backdrop of the Snowden revelations and the US and UK government reviewing their approach to surveillance, while not forgoing any of their powers. Not forgetting the EU Commission’s push to get the new General Data Protection Regulation finalised later this year.

The notion that cloud is inherently insecure is absurd
But the notion that cloud is inherently insecure is as absurd as the one that on-premise is inherently secure. Data is only as secure as the measures adopted to ensure it is secure. If you have taken steps to protect your data on-premise then you would expect at least that in a cloud environment. If you haven't, then your data might be more secure in cloud.

Loss of control

From my perspective, what is more interesting is that there has been a marked increase in those worried about losing control/manageability of their IT, up from 24% last year to 40% now. It’s true that public cloud is often sold on the Henry Ford model — any customer can have our public cloud as long as it is exactly what we already sell with all the SLA and liability exclusions. I have advised clients privately and written and presented publicly on this topic. Summary: public cloud is great, but you need to go into it with your eyes open and be aware of the risks.

Equally, that suggests that some people believe the only cloud on offer is public cloud. Of course, no one really uses the NIST definitions (did they ever?) and consequently the term “cloud” doesn’t mean the same to everyone. If public cloud doesn’t do it for you, then you should consider private or hybrid cloud. These are customisable for the customer allowing them to build in the controls they need. And, of course I should point out that the Cloud Industry Forum (see earlier disclosure) code of practice advocates transparency, capability and accountability.

Are customers lazy?

In my experience, data security and, specifically, data protection laws are used as a lazy way of not making a decision that will lead to change. Sometimes this is to protect a large established on-premise IT team and the kudos and budget that goes with it. Sometimes it is a specious understanding of what the law says: yes it says be careful how and where you store your data but, no, as a general rule it doesn’t say you can’t move data outside the UK / Germany / EU / EEA / into a cloud.

If you want something you need to identify clearly what it is you want and your budget for it. Everyone knows that a Smart car and a Rolls Royce perform the same basic function of getting you from A to B but they have wildly different specifications. No one paying for a Smart car truly believes they are actually getting a Rolls Royce and vice versa. In cloud, as in life, you get what you pay for: if you want more, you generally have to pay more.

Frank Jennings is Cloud & Commercial Lawyer at Wallace LLP:  http://ow.ly/ORFh6