Data can be secure enough in the cloud
Frank Jennings looks at how to address data security risks in cloud adoption
Industry surveys consistently suggest that data security is the number-one concern when it comes to cloud adoption. Organisations frequently tell us they are concerned about the risks of putting their data in the cloud.
They fear their cloud provider will not keep it secure and their confidential and sensitive data will be lost by their cloud provider or leaked after a hack attack. This could lead to reputation damage, lost business, or being fined by a regulator.
Cloud is not inherently insecure, although some IT users tell us they believe it is. Too often, those same users rely on some kind of security through obscurity. If an "average" hacker cannot find the organisation's data because it is held on-premise rather than in the cloud, the user believes their data must be secure.
Some users deploy lots of physical protection for their servers while overlooking other options.
Individuals often cite the UK's Data Protection Act as a piece of legislation that forces them to keep data inside the EU, or even within the UK. Often, they think the FBI can obtain unrestricted access to their data via the US Patriot Act. There is some truth behind these beliefs, but the actual risk level is often misunderstood.
Some IT departments will not authorise individuals to use their own devices in the workplace as they believe the data on it will be not be sufficiently secure. However, plenty of employees bring their own devices to work anyway and use webmail and cloud storage.
Organisations sometimes treat all data the same and fail to categorise their data according to sensitivity or priority. This can not only reduce productivity, but introduce risk if everyone has the same access to all data – including the most sensitive.
But, as we say in a recent report, organisations can adopt practical and technical measures that will protect their data. Keeping data secure is not so much about whether it is on-premise or in the cloud as it is about having proper safeguards.
Users should classify their data according to importance and adopt security measures accordingly, and do due diligence on their providers, which should have a good reputation, recognised accreditations, and have addressed security questions. Security is about human behaviour too.
Practical steps to protect data should be covered by contracts with customers, staff and suppliers.
Frank Jennings is cloud data security lawyer at DMH Stallard and chairman of the code governance board at the Cloud Industry Forum