Technology

Responsible Cloud Migration – Overcoming Data Security Challenge

Alasdair Anderson 23 August 2024

Responsible Cloud Migration – Overcoming Data Security Challenge

As the author argues, data is widely regarded as an organisation’s main asset, but data accountability is rarely owned, which can lead to errors that incur fines, loss of consumer trust, and impact brand reputation.

As businesses begin their digital transformation journey, one factor is often overlooked: data ownership. To quickly capitalise on their data businesses may opt for solutions such as third-party cloud vendors, that seem to promise shared responsibility, fast data accessibility, and enhanced cybersecurity. However, such an approach lacking data responsibility can lead to undesirable consequences such as data breaches, losing consumer trust, and hefty fines.

In this article, Alasdair Anderson, vice president at data protection platform Protegrity, provides insight into the serious risks uninformed cloud migration can incur, and how to avoid them. (See here for a previous article about this firm.)

This news service is pleased to share these comments; the usual editorial disclaimers apply to views of guest writers. Email tom.burroughes@wealthbriefing.com if you wish to respond.

 

Since the world went digital the value of data has been unprecedented, and as businesses race to adopt the latest tech to optimise and monetise their data it is set to increase in value at an exponential rate. However, whilst data is widely regarded as an organisation’s main asset, data accountability is rarely owned, which can lead to errors that incur fines, loss in consumer trust, and impact brand reputation. To ensure best practice, organisations should apply caution when considering their next step in digital transformation, such as when migrating data to the cloud.

Who are you giving the keys to?
Using cloud software promises real-time data sharing and increased innovation through analytics, which can be beneficial to business growth. For fast-paced business environments and busy cybersecurity teams, it is attractive to opt for a third-party cloud vendor as it appears to be a simple solution, and robust cybersecurity measures can be assumed. On the surface it is simple, however, further investigation provides concerning insights. 

Firstly, when a customer uploads data to the cloud, they surrender control of their data. Publishing data on the cloud gives the third-party permission to copy or move data without consent – sometimes to locations even the cloud isn’t aware of. Cloud platforms are nebulous, leading to organisations often having their data spread across multiple levels, making it difficult to monitor and the risk of data loss is a real threat. 

Further, when data is placed in the hands of another vendor, it possesses the passwords and encryption keys needed to secure the data. This means that data can potentially be accessed in its pure state by anyone, including partners. Publishing data on the cloud without considering data privacy is akin to giving a stranger the keys to your shop and trusting them to lock up.

The main issue here is data accountability. Results-driven organisations, perhaps too separated from their sensitive data, are looking for quick ways to optimise their data and share the responsibility. Unfortunately, in an eventual cloud breach, as cloud security offerings are often found to be lacking, cloud providers will find a loophole to pass the responsibility back to its user. As such, the first step in achieving responsible cloud migration is for an organisation to recognise ownership and responsibility for the valuable data it possesses. Ultimately, the success in migrating to the cloud relies on data accountability and ensuring that all members of the team understand the privacy policies surrounding it. Establishing a culture of organisational security and recognising the worth of one’s assets will make it less likely for the keys to be handed to a stranger without a background check.

Cloudy rules for data compliancy
Cloud providers don’t provide physical infrastructure for audits, nor are consumers permitted to verify vendor security, making background checks difficult. It instead relies on an honour system, which contrasts with the standard practice in vendor data security of “trust but verify.” In this instance organisations may find that publishing data on the cloud immediately conflicts with their internal data security policies and regulatory compliance requirements, running a risk of incurring large fines when subjected to a compliancy audit. When deleting data from the cloud the element of hazy trust appears: consumers cannot verify whether their data has been deleted; it is at the discretion of the cloud vendor.

Considering threats to data control and compliancy make cloud migration seem too risky a venture and may cause concern for those in the midst of a cloud migration journey. This may make an organisation and its cybersecurity team feel caught in the crosshairs of competitive innovation, security, and data-compliancy challenges.

However, prioritising data-centric security measures can provide a holistic approach to mitigating risks in the cloud environment and reap the benefits of its usage. Partnering with a data protection platform in this instance can provide support with enhanced security and ensured compliancy.

Groundwork ensures secure results
Migrating to the cloud with the use of a third-party data protection platform can be a comprehensive solution to support responsible cloud migration for even sensitive data. Take for example the case study of a global bank that used a data protection platform to migrate 70 per cent of its workloads to the cloud. 

The challenge was to implement highly scalable serverless data protection for its big data, containing information such as salaries and personally identifiable information (PII). Thanks to collaboration between diverse teams, thorough planning, and considering data security at every step between both technology and organisational structure, the project was a success. The bank now enjoys modernised data applications, automation, and security measures.

To ensure lasting success the bank prioritised policy, safety, and simplicity. Its team assessed why it wanted to make use of the cloud, which informed the understanding of what data was worth uploading. It is an essential step when assimilating any new technology, or to anonymise data through privacy enhancing technologies (PETs) like encryption or pseudo-anonymisation. 

Using a data protection platform ensured that the key to encrypt and decrypt the data didn’t need to go to the cloud. With the data effectively secured, the bank could opt to place its anonymised data in one central account: making its data more straightforward to audit, monitor, and manage accesses. 

The entire process was carefully risk assessed before execution, run through rigorous testing, and its results were carefully audited and monitored before implementation. In responsible cloud migration, being methodical and risk aware garners the best results, and ensures that all data is safe and uncorrupted for future operations.

Prioritising data simplifies cloud migration
Whilst cloud migration creates a multitude of security and privacy concerns, if approached with a data-centric mindset it can be effectively executed whilst ensuring data compliancy and mitigating risk.

Focusing on data security and partnering with a data protection platform provides a simplified, scalable pathway that reduces overall costs and risk of data breaches. A data security platform provides layers of protection such as PETs, a zero-trust framework, and enhanced overall security, lowering a company’s risk profile and still driving innovation.

Register for WealthBriefing today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes