The data access, cost savings and reliability that cloud technology offers is too great for big businesses to pass over. So much so that leading tech industry voices predict that cloud computing will be one of three focus areas for IT spending in 2015, with a 42% increase on last year. The signs are that in spite of the data protection concerns that have been an unfortunate part of the cloud story so far, it will become an integral part of business communications in the coming years.
At the same time, it is naïve to think that those security concerns will go away, or that cyber criminals will leave big businesses alone. With EU General Data Protection Regulation predicted to be finalised by the end of 2015, IT departments must get to grips with the compliance and data protection issues that come with the cloud. This blog post looks at three areas for concern.
Where is the cloud in your company?
It may well be that your organisation has not officially taken on any cloud services. However, within large companies (especially those with many offices and branches) certain departments and teams may be using cloud technology without the central IT department knowing. While this is frustrating for the IT function, the real problem is the risk rogue cloud users pose to data protection and security.
Not everyone knows that cloud services can be hosted in one country and utilised by people in another. Or that different countries have different data protection laws. It is entirely possible that a cloud user can think their data is protected under their country’s laws, yet it may not be protected at all.
Getting a handle on where the cloud is being used is essential to knowing where, if anywhere, data protection threats reside in a company. IT managers should ask departmental heads to conduct cloud audits within their teams and report back. Soon enough a complete picture of company-wide cloud usage will have been built up.
Are you regulations savvy?
Last August it was reported that most cloud providers don’t meet the proposed EU regulations on data protection. This is a worrying fact in itself; even more so when the incoming laws dictate that data controllers (i.e. you) have to share liability for breaches and violations with data processors (i.e. your cloud provider).|The detail of the forthcoming legislation is so great that it warrants its own article. But it is absolutely necessary that IT departments read up on the regulations and ensure that their cloud providers comply with them. In general this should require nothing more than a meeting with the supplier to check that they have the correct compliance certifications. If not, it is time to consider working with a different provider.
The policy problem
In addition to issues around corporate responsibility and liability, data owners must also think about the policy documents that govern the information they are in charge of. Data protection authorities can request a policy review at any time, so this is not something big businesses can sit on. Every data owning organisation must have a set of privacy policies (such as right to be forgotten) in place, so that users and clients can know what is happening with their data.
Some industry experts recommend establishing governance groups to manage data if and when it goes into the cloud – as well as the relationship with the cloud provider. Others suggest creating and maintaining an asset register so that companies know what data they own and where it is. The best thing all businesses can do is work with a cloud provider that can readily provide compliance certification, disaster recovery plans, encryption policies and detail on how your data will be stored and accessed.
While the cloud isn’t going anywhere, neither are the hackers – the BBC recently reported 2.5 million instances of cybercrime last year alone. The good news is that the threat they pose can readily be defended against by working with the right provider and ensuring that all compliance concerns are addressed. Knowing where and how the cloud is being used in your company is crucial to ensuring that, as this technology grows in popularity, you are both compliant and secure.