This is by far the most common question I get when talking to people about cloud migrations. And rightly so, information security (together with data privacy) is amongst the top concerns for businesses looking to go to the cloud computing.
To be quite frank:
- Generally the data stored in the cloud is very secure and
- Most likely it is safer then it currently is in your company.
A New Model Brings New Threats
Now let’s not make a mistake here, cloud computing does raises security issues that are not typically found when your data is stored on-premises in your own building. So much so that industry standards are still adapting to cloud specific challenges. For example, not many people realises that your company data might be stored in a common datacenter where data from other companies are stored as well. The concept of multi-tenancy scares a hell of a lot of people.
Who is Ultimately Responsible for Securing my Information?
This is an important question and before we answer that, let’s take a step back and discuss the matrix of responsibility here. To answer that question, first we need to assert the nature of the information stored because it is the data sensitivity who will dictate the level of infrastructure security necessary.
OK, so now that we have that in mind, the second part is about addressing the responsibility. The cloud provider is most likely to be responsible for the security and privacy controls which will be available to you.
Then now you have it:
- The cloud provider is responsible for the infrastructure lockdown, and
- the customer is the one who drives the data protection requirements.
It does not matter that you store your data in the cloud but still uses weak password controls or poorly governed processes around your business and data access, right? That’s why a proper cloud security assessment is so important because most likely, when a data breach happens it is because of you. Don’t be ashamed to assume if you have, weak security controls is something very pervasive in our industry as you can see here.
What Are my Responsibilities as a Cloud Customer?
You need to understand what security controls your business need, what data breach controls you want, what regulatory needs your industry requires etc. Cloud companies like Microsoft or Amazon won’t know that. It is your job to know that and bring it to the discussion table. Like I said before, these cloud companies are extremely capable and secure so normally it is up to the customer to up their game.
In short you as a customer have to:
- Understand your data sensitivity
- Ensure your chosen cloud provider offers the controls your business need
So there you have it. Generally the conversation here evolves to “So nothing ever goes wrong in the cloud? Are you telling me that data breaches never happen?”…no, but this is a talk for another day.
See ya later!