Technology is changing so rapidly that keeping up with the associated worldwide privacy challenges reminds me of a quote from the White Rabbit in Alice in Wonderland: “Here we must run as fast as we can, just to stay in place!”
The cloud is one of those rapidly evolving spaces. Major data breaches seem to be in the news almost every week now.
Once you think you understand the privacy landscape, a new breach can crop up and add a new issue. Not only does this impact the individuals whose data is exposed, but it also affects the companies that are responsible for the data breaches.
These events can be extremely costly financially, and may even result loss of reputation or job. Privacy and data security has now firmly become a board-level issue.
So is hosting your data, applications or even your infrastructure in the cloud a viable alternative?
What is the Cloud?
As tempting as the image may be, it’s not something floating in the sky. Rather, the cloud is a model for providing applications and services hosted by a shared pool of resources to support high demand.
The National Institute of Standards and Technologies (NIST) defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
I define it a little more simply: The cloud is just someone else’s computer.
So why would you put your data and systems, or even host your infrastructure on someone else’s computer?
The immediate draw to cloud computing is clear — reduced total cost of ownership and less hardware for IT administrators to maintain. Hosting your applications and storing your data in the cloud could reduce cost and improve global access to content.
Cloud computing offers many advantages to IT teams as well as technology providers and their customers. It allows companies to invest far less in infrastructure and resources that they must host, manage, administer and maintain internally, and invest more in the advanced applications they build on an externally hosted and fully redundant environment.
Risks of the Cloud
For organizations subject to regulatory requirements, the move to the cloud is not without risk. Some enterprises have significant concerns about storing business data outside the walls of their organization.
This is due to non-employee IT administrators possessing a high level of access and control over information, available technology options used to secure and manage user access and authentication, or even the actions of employees or contractors — both intentional and accidental.
For companies that are considering whether or not to move to the cloud, it’s not a question of if you are going to go to the cloud — it’s a question of what you are going to put in the cloud.
Most organizations will move some data to the cloud — whether it’s intentional or not. For instance, many employees are already storing and sharing business content in personal cloud applications, like Dropbox or Box. They typically use these due to ease of use and access — often leaving IT administrators and security officers with little control over how the information is managed.
There is much guidance available on how you should work with your cloud provider in regard to the security of your content. In fact, the NIST has created a specific guidance for US federal agencies implementing cloud technologies.
However, even this guidance does not present the fact that no matter where your data lives — whether it’s in on-premises systems or in the cloud — you are still responsible for it. Not only do you need to negotiate adequate protections to ensure your cloud provider will respond to incidents in a timely manner, but you must also plan what kinds of data, applications or infrastructure your organization is comfortable moving to the cloud.
Understanding Your Data
Before moving to the cloud, you must first understand the data you hold. Only through knowing what data you hold, along with internal company policies and external regulatory requirements, can you begin to take a risk-based approach to storing it appropriately.
This knowledge allows you to make informed decisions — including where it should live, who can access it and what kinds of controls you need to put around it.
Trusting Your Provider
After this discovery phase, you must consider your level of trust in your proposed cloud provider. The provider's transparency regarding security and data protection practices must also factor into your decisions.
For example, what can the company tell you about its backup and data recovery procedures? If your company is subject to data sovereignty requirements, you must ensure that data is kept within the country, along with the data backups.
The same reasoning applies for defensible data destruction and records management requirements. Make sure you know where all of the copies of your data reside. From the outset, you need to set clear expectations with your cloud provider.
Addressing Future Updates
Next, be sure that you have a clear understanding of how your cloud provider will roll out enhancements to their service. One of the great advantages of the cloud is that service providers — such as Microsoft, Amazon, and others — can continually update their offerings without requiring maintenance on your end.
While this is a great advantage from a technology perspective, it also may create privacy and data security implications. One simple way to address this is to ensure that any updates provided to your environment will first be done in a test or non-production environment. This way, security and data privacy teams can fully assess any risk before you introduce the new features to your systems.
If you have major objections that cannot be resolved, take a measured approach to overcoming them. Opt to offload select content or workloads to the cloud — keeping regulated and sensitive content on-premises.
As companies and government agencies move to a cloud-based infrastructure, they must also understand and review the associated privacy and security considerations. The cloud can make your life much simpler and help you manage your data in a much safer manner. Just be sure that from a data privacy and security perspective, your feet remain firmly planted on the ground as your applications move to the cloud.
Title image by Jeff Hendricks.