Particularly as it pertains to personal data that might be covered by the General Data Protection Regulation (GDPR) and other regulatory policies.
It is clear that cloud can introduce new risk to organisations . Cloud has been identified as the top technology that increases risk in a recent survey on enterprise risk from Isaca.
However, cloud security solutions have become essential for many organisations in today’s technology environment, so it is important for organisations to configure those partnerships carefully and in ways that best support the specific organisation’s data footprint.
This depends largely on the organisation’s size and the type of data that it collects. Large companies are often astute at managing third-party contracts, but frequently, smaller companies mistakenly believe that simply using a cloud provider or software-as-a-service (SaaS) application means they are covered, and that might not always be the case – the company still has the ultimate responsibility for owning and processing its data.
However, third-party providers can help greatly and, in many cases for small businesses using cloud, the security is improved because the company does not otherwise have the resources to devote to security measures that can be found through cloud providers. In many respects, cloud providers are getting better than ever at providing security, but then again, given heightened regulation and scrutiny from both governments and the public, the standard for providing a sufficient level of security continues to rise.
Another important consideration is that, in many cases, organisations will want to encrypt the data stored in the cloud and then carefully manage those keys. They should be sure to have an appropriate key vault where keys are stored and never have them hard-coded into the software. Many cloud providers and third-party suppliers provide key vaults.
Again, the organisations size often will come into play in determining the best path for key management. Small businesses are more likely to elect to have the cloud provider manage the key because the cloud provider is likely to have more advanced expertise.
However, if key management is something an organisation feels comfortable with, as may be the case for many larger organisations, managing their own keys is likely to be the most obvious choice. If there is any doubt about how to handle the keys, letting a trusted third-party manage the key is probably the way to go.
But beware: if organisations encrypt their data, they had better not lose access to that key. Because if it goes missing, you lose your data, and that can have very serious and irreversible consequences.
Individual users might deploy encryption and then forget their encryption password to unlock the key, (not as rare as yoou might think) and then the data is gone unless they have an unencrypted backup available.
The nature of the data involved is another crucial factor. The more sensitive the data, the more reluctant organisations might be to outsource the security around that data, but at a minimum they should consider bringing in some outside expertise to make sure the keys are being managed properly.
For smaller companies, even if the data is highly sensitive, outsourcing key management to a cloud provider will probably be necessary to reduce the risk of losing keys.
Lastly, consider how the data is being protected and used, and be mindful of providing assurance over the full lifecycle of that data. Industry bodies such as Isaca and the Cloud Security Alliance provide useful resources for organisations along those lines.
While cloud security can pose complicated scenarios to organisations, many of the answers come back to having sound risk management policies and procedures. Perhaps the biggest recipe for success is organisations having a realistic understanding of their own security capabilities, how their resources are best deployed, and a reliable inventory of the nature of the data that they collect and maintain.
In many cases, engaging in agreements with cloud providers is an essential step, but it is critical that enterprises understand the division of responsibilities with the cloud provider and have an action plan in place for how to work together with the provider if an incident arises.