Technology
Responsible Cloud Migration – Overcoming Data Security Challenge
As the author argues, data is widely regarded as an organisation’s main asset, but data accountability is rarely owned, which can lead to errors that incur fines, loss of consumer trust, and impact brand reputation.
As businesses begin their digital transformation journey,
one factor is often overlooked: data ownership. To quickly
capitalise on their data businesses may opt for solutions such as
third-party cloud vendors, that seem to promise shared
responsibility, fast data accessibility, and enhanced
cybersecurity. However, such an approach lacking data
responsibility can lead to undesirable consequences such as data
breaches, losing consumer trust, and hefty fines.
In this article, Alasdair Anderson, vice president at data
protection platform Protegrity, provides
insight into the serious risks uninformed cloud migration can
incur, and how to avoid them. (See here for a
previous article about this firm.)
This news service is pleased to share these comments; the usual
editorial disclaimers apply to views of guest writers. Email
tom.burroughes@wealthbriefing.com
if you wish to respond.
Since the world went digital the value of data has been unprecedented, and as businesses race to adopt the latest tech to optimise and monetise their data it is set to increase in value at an exponential rate. However, whilst data is widely regarded as an organisation’s main asset, data accountability is rarely owned, which can lead to errors that incur fines, loss in consumer trust, and impact brand reputation. To ensure best practice, organisations should apply caution when considering their next step in digital transformation, such as when migrating data to the cloud.
Who are you giving the keys to?
Using cloud software promises real-time data sharing and
increased innovation through analytics, which can be beneficial
to business growth. For fast-paced business environments and busy
cybersecurity teams, it is attractive to opt for a third-party
cloud vendor as it appears to be a simple solution, and robust
cybersecurity measures can be assumed. On the surface it is
simple, however, further investigation provides concerning
insights.
Firstly, when a customer uploads data to the cloud, they
surrender control of their data. Publishing data on the
cloud gives the third-party permission to copy or move data
without consent – sometimes to locations even the cloud isn’t
aware of. Cloud platforms are nebulous, leading to organisations
often having their data spread across multiple levels, making it
difficult to monitor and the risk of data loss is a real
threat.
Further, when data is placed in the hands of another vendor, it
possesses the passwords and encryption keys needed to secure the
data. This means that data can potentially be accessed in its
pure state by anyone, including partners. Publishing data
on the cloud without considering data privacy is akin to
giving a stranger the keys to your shop and trusting them to lock
up.
The main issue here is data accountability. Results-driven
organisations, perhaps too separated from their sensitive data,
are looking for quick ways to optimise their data and share the
responsibility. Unfortunately, in an eventual cloud breach, as
cloud security offerings are often found to be lacking, cloud
providers will find a loophole to pass the responsibility back to
its user. As such, the first step in achieving responsible cloud
migration is for an organisation to recognise ownership and
responsibility for the valuable data it possesses. Ultimately,
the success in migrating to the cloud relies on data
accountability and ensuring that all members of the team
understand the privacy policies surrounding it. Establishing a
culture of organisational security and recognising the worth of
one’s assets will make it less likely for the keys to be handed
to a stranger without a background check.
Cloudy rules for data compliancy
Cloud providers don’t provide physical infrastructure for audits,
nor are consumers permitted to verify vendor security, making
background checks difficult. It instead relies on an honour
system, which contrasts with the standard practice in vendor data
security of “trust but verify.” In this instance
organisations may find that publishing data on the cloud
immediately conflicts with their internal data security policies
and regulatory compliance requirements, running a risk of
incurring large fines when subjected to a compliancy audit. When
deleting data from the cloud the element of hazy trust appears:
consumers cannot verify whether their data has been deleted; it
is at the discretion of the cloud vendor.
Considering threats to data control and compliancy make cloud
migration seem too risky a venture and may cause concern for
those in the midst of a cloud migration journey. This may make an
organisation and its cybersecurity team feel caught in the
crosshairs of competitive innovation, security, and
data-compliancy challenges.
However, prioritising data-centric security measures can provide
a holistic approach to mitigating risks in the cloud environment
and reap the benefits of its usage. Partnering with a data
protection platform in this instance can provide support with
enhanced security and ensured compliancy.
Groundwork ensures secure results
Migrating to the cloud with the use of a third-party data
protection platform can be a comprehensive solution to support
responsible cloud migration for even sensitive data. Take for
example the case study of a global bank that used a data
protection platform to migrate 70 per cent of its workloads to
the cloud.
The challenge was to implement highly scalable serverless data
protection for its big data, containing information such as
salaries and personally identifiable information (PII). Thanks to
collaboration between diverse teams, thorough planning, and
considering data security at every step between both technology
and organisational structure, the project was a success. The bank
now enjoys modernised data applications, automation, and security
measures.
To ensure lasting success the bank prioritised policy, safety,
and simplicity. Its team assessed why it wanted to make use of
the cloud, which informed the understanding of what data was
worth uploading. It is an essential step when assimilating any
new technology, or to anonymise data through privacy enhancing
technologies (PETs) like encryption or
pseudo-anonymisation.
Using a data protection platform ensured that the key to encrypt
and decrypt the data didn’t need to go to the cloud. With the
data effectively secured, the bank could opt to place its
anonymised data in one central account: making its data more
straightforward to audit, monitor, and manage accesses.
The entire process was carefully risk assessed before execution,
run through rigorous testing, and its results were carefully
audited and monitored before implementation. In responsible cloud
migration, being methodical and risk aware garners the best
results, and ensures that all data is safe and uncorrupted for
future operations.
Prioritising data simplifies cloud migration
Whilst cloud migration creates a multitude of security and
privacy concerns, if approached with a data-centric mindset it
can be effectively executed whilst ensuring data compliancy and
mitigating risk.
Focusing on data security and partnering with a data protection
platform provides a simplified, scalable pathway that reduces
overall costs and risk of data breaches. A data security platform
provides layers of protection such as PETs, a zero-trust
framework, and enhanced overall security, lowering a company’s
risk profile and still driving innovation.