Should I put my trust in the cloud?
Concern over data security was intensified by information revelations last year. That made people question who has control over and access to their data, and raised particular issues of trust about cloud environments in general.
This is the second in a series of three blogs about cloud. The first took a broad look at today’s cloud industry post Snowden. This one will focus on how we manage the continuing issue of trust. And the third blog will examine how we need to drive new levels of transparency to convince the most skeptical customer that cloud can indeed be trusted.
Trust is imperative
First of all, we must be clear: the cost and operational benefits of cloud are immensely compelling today. And they will grow in importance with the massive volumes of data we can expect to store and manage in future. So trust is imperative if we are to take advantage of the personal and business opportunities that cloud represents for us all.
The second thing to say is that most security breaches actually have nothing at all to do with cloud providers, and can happen as easily – more easily in fact – at an organization’s premises as in a cloud environment. The cause is often industrial espionage, and the perpetrators are usually hacker groups or even disgruntled employees. Government agencies are the least of our problems.
It is also true that security professionals today tend to focus on detection and fast response to attacks, using emerging techniques such as pattern recognition, multi-level security, and in-app security. Trying to prevent a breach by an experienced data hacker is nowadays almost impossible, and security budgets reflect this. Canopy for example, a cloud services provider makes extensive use of extraordinary detection technology as a critical part of its security offering.
All that said, however, the simple fact is that customers are concerned about cloud security, whether justified or not. Until they are confident in the cloud, they will not leverage its potential.
So what questions should we ask to begin the process of reassurance?
Where does the legal jurisdiction of my cloud service reside?
Data legislation varies hugely country to country. Europe has a stringent legal framework in place, with harsh penalties for those in breach of EU laws. By contrast, US data laws are more flexible but still require any European company operating there to comply with US legislation. This is partly reflected in the different legal status regarding protection of such data between the US and Europe. In the US, it is a matter of civil law: if you don’t like what someone has done to your data, assuming you find out, you can sue them after the event. In Europe, however, it is a constitutional right: you can be prosecuted if you put such data at risk, even before any actual infringement takes place.
Knowing where your data is stored is therefore crucial, as the physical location determines the legal jurisdiction presiding over it.
Can I control where my data is hosted?
If you put your personal possessions in a physical storage unit, you would expect to know where they are being kept and who by. But when storing your data ‘possessions’ in the cloud, it isn’t easy to determine where the servers are. If compliance dictates you must host your data in a certain country, choose a provider that can guarantee it will be stored there, or opt for a private cloud environment that gives you more control over location.
Who handles back-ups?
It’s important to consider where your information is being replicated beyond the raw data storage. A provider might store your data in one country, but keep copies in another country. Know who is in charge of your back-ups and where they are storing any replicated data as this could mean different legislation is governing your raw and copied data sets.
Who reports on security breaches?
Because data protection is no longer about just preventing intrusions, you need to check who will be informing you when there’s been a security breach involving your data and how long it took them to react.
How do I know which services are trustworthy?
Competition between service providers is heating up. Many will try to assure you of their trustworthiness with security certificates, but make sure you understand what accreditations your provider have, and what these mean for the protection of your data.
These are key areas to consider in rebuilding trust in cloud. In our third and final blog, we will look at how provider transparency should also help – underpinned by robust regulatory compliance.