More businesses than ever are migrating core operations to cloud platforms. From storage to connectivity and whole IT systems, cloud providers are responsible for multiple mission-critical services.
Companies benefit from this in many ways: reduced costs, greater flexibility, improved productivity and security.
However many businesses believe – 83% according to backup software firm, Veritas – that cloud providers are wholly responsible for keeping customer data safe. In a stricter regulatory environment, that is something companies can’t afford to assume and shouldn’t leave to chance.
If you have already migrated some or all of your IT infrastructure to the cloud, or are planning a digital transformation project, here’s what you need to know:
Regulatory and compliance risks in the Cloud
Businesses face a combination of risks. Cyber attacks are more frequent; a combination of ransomware, malware, DDoS and bots are all working to undermine corporate and SME defences. Your data is worth something to someone, regardless of how large your company is or what sector you operate it. It can be sold or published online, making it a valuable target.
At the same time, regulators are going to be tougher on firms that don’t take every reasonable effort to keep that data secure. With the General Data Protection Regulation (GDPR) now in force, companies can be fined “€20m or 4% of annual worldwide turnover, whichever is greater”, exceeding the £500,000 maximum fine under the Data Protection Act.
Other regulations, such as an updated PCI-DSS standard for payment processing, have forced further action on how companies collect and process data. Keeping it secure is mission critical.
Isn’t data protection down to cloud providers?
Under GDPR, the definition of “personal data” has increased. Many small and medium businesses, for example, are registering with the ICO to ensure they’re compliant under GDPR, once they realised that they’re also responsible for collecting personal – client – data.
This means that more companies than ever are responsible for collecting, processing and safeguarding information under the law. Unfortunately, passing that responsibility of security onto cloud providers isn’t an option.
Even if a cloud provider is proud of the cyber security systems they have in place – and many will talk about this – as these are key selling points – under the Data Protection Act it’s still the responsibility of the company collecting and using the data. If a breach occurs, you can’t blame a supplier.
Companies need to know the following, as a minimum:
- Where data is stored (is your cloud on-site, an external data centre or more than one centre in multiple locations, or a hybrid)?
- How does it travel (encryption is essential)?
- Why it might be moved and where does it go; e.g. does it move between cloud-providers and software services and if so, is it secure?
- And ultimately, who is responsible for all of this, on a daily basis and in the event of a breach?
All of this is designed to protect your customers, your ‘data subjects’. Disaster recovery scenarios should be worked out, in the event of a server failure or a system goes down within this environment.
Even data that is apparently “clean”, could fall within the scope of regulatory requirements, if combining it with other sources could result in personal identification. When you are working with multiple vendors and SaaS providers, it can be harder to know where your data is. To be safe, carry out an audit. Make sure you can trace where data goes and how secure it is, then only work with vendors with complete accountability and is fully compliant with GDPR.
Staying safe in a stricter regulatory environment involves taking proactive steps to secure data wherever it goes. This responsibility falls squarely on the company collecting and using the data, not cloud suppliers they’re working with.
Naturally, there is help at hand to navigate the cloud vs. compliance vs. cyber security landscape. If you would like to talk to a consultant informally about your requirements and what steps can be taken to ensure you get the benefits of cloud computing without exposing your business to risk, please get in touch.