Data Security and Loss of Control Killing Cloud?

Uploaded on 2015-06-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Data security and loss of control killing cloud?

A recent poll shows that, despite booming cloud adoption rates, concerns over data security and privacy persist.

Hang on, that’s the same as every other poll I’ve read over the last 5 years.
What’s different about this is that attitudes seem to have hardened. The Cloud Industry Forum (disclosure – I chair their code of practice board) asked 250 senior IT managers and business decision-makers from both the public and private sectors in the UK. 70% were concerned about data security and 61% were concerned about data privacy compared to 61% and 54% respectively in last year’s poll. The exact numbers fluctuate but concerns over data remain consistent.

It’s hardly surprising when you have a constant stream of stories about the latest organisation to fall victim of a security breach / hack. And there is the ever present backdrop of the Snowden revelations and the US and UK government reviewing their approach to surveillance, while not forgoing any of their powers. Not forgetting the EU Commission’s push to get the new General Data Protection Regulation finalised later this year.

The notion that cloud is inherently insecure is absurd
But the notion that cloud is inherently insecure is as absurd as the one that on-premise is inherently secure. Data is only as secure as the measures adopted to ensure it is secure. If you have taken steps to protect your data on-premise then you would expect at least that in a cloud environment. If you haven't, then your data might be more secure in cloud.

Loss of control

From my perspective, what is more interesting is that there has been a marked increase in those worried about losing control/manageability of their IT, up from 24% last year to 40% now. It’s true that public cloud is often sold on the Henry Ford model — any customer can have our public cloud as long as it is exactly what we already sell with all the SLA and liability exclusions. I have advised clients privately and written and presented publicly on this topic. Summary: public cloud is great, but you need to go into it with your eyes open and be aware of the risks.

Equally, that suggests that some people believe the only cloud on offer is public cloud. Of course, no one really uses the NIST definitions (did they ever?) and consequently the term “cloud” doesn’t mean the same to everyone. If public cloud doesn’t do it for you, then you should consider private or hybrid cloud. These are customisable for the customer allowing them to build in the controls they need. And, of course I should point out that the Cloud Industry Forum (see earlier disclosure) code of practice advocates transparency, capability and accountability.

Are customers lazy?

In my experience, data security and, specifically, data protection laws are used as a lazy way of not making a decision that will lead to change. Sometimes this is to protect a large established on-premise IT team and the kudos and budget that goes with it. Sometimes it is a specious understanding of what the law says: yes it says be careful how and where you store your data but, no, as a general rule it doesn’t say you can’t move data outside the UK / Germany / EU / EEA / into a cloud.

If you want something you need to identify clearly what it is you want and your budget for it. Everyone knows that a Smart car and a Rolls Royce perform the same basic function of getting you from A to B but they have wildly different specifications. No one paying for a Smart car truly believes they are actually getting a Rolls Royce and vice versa. In cloud, as in life, you get what you pay for: if you want more, you generally have to pay more.

Frank Jennings is Cloud & Commercial Lawyer at Wallace LLP:  http://ow.ly/ORFh6

 

« US spied on French presidents
NSA Chief: Don’t Assume China Hacked OPM »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DriveLock

DriveLock

Our security solution is designed to prevent external attacks, which are evermore sophisticated as well as monitor, document and even prevent internal incidents.

European Internet Forum (EIF)

European Internet Forum (EIF)

EIF’s mission is to help provide European political leadership for the political, economic and social challenges of the worldwide digital transformation.

Messageware

Messageware

Messageware is the market leader in securing, enhancing, and customizing Microsoft Exchange and Outlook Web App.

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

7Safe

7Safe

7Safe has been delivering hands-on digital security training courses since 2001 and offer e a portfolio of university and industry-accredited courses.

Virsec Systems

Virsec Systems

Virsec detects and remediates previously “indefensible” advanced memory-based attacks on critical applications and server endpoints.

Ignyte Assurance Platform

Ignyte Assurance Platform

Ignyte Assurance Platform™ is a leader in collaborative security and integrated GRC solutions for global corporations in Healthcare, Defense, and Technology.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

Elron Ventures

Elron Ventures

Elron partner with early stage ventures to build companies that transform lives and industries. Our main areas of focus are enterprise software, cybersecurity, and healthcare.

Bloc Ventures

Bloc Ventures

Bloc Ventures is an investment company providing long-term, ‘patient’ equity capital to early stage unquoted deep technology companies.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

Xopero Software

Xopero Software

Xopero Software develops a comprehensive range of professional tools for protecting and restoring critical business data.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

CampusGuard

CampusGuard

CampusGuard focuses on the cybersecurity and compliance needs of campus-based organizations including higher education, healthcare, and state and local government.

SPIE Switzerland

SPIE Switzerland

SPIE Switzerland AG, a subsidiary of the SPIE Group, is a Swiss full-service provider of ICT, multi-technical and integral facility services.

B&L PC Solutions

B&L PC Solutions

B&L PC Solutions deliver top cyber security services on Long Island and New York city to protect businesses from evolving online threats.