Compliance in the cloud
Cloud computing may pose serious data security threats to businesses wanting to save on software licensing and support services. This is according to a recent report by City law firm Reynolds Porter Chamberlain (RPC).
In theory, the concept of cloud computing can be more secure than do-it-yourself computing since shared costs allow larger overall investment in security processes and infrastructure. The business benefits to the cloud model are also compelling, creating a centralised method to access shared data, significantly lowering costs and reducing data centre space and power. However, despite the cost saving potential offered by moving data storage and applications online, the use of cloud computing may lead to breaches of the Data Protection Act (DPA) by businesses and their information security obligations to their customers.
For example an organisation, choosing to outsource their data storage, risks claims being made against them by their customers if data held by the host server becomes unavailable during an interruption or outage, or even lost. The likelihood of service interruptions also raises concerns over the use of the cloud for applications that are critical to the day to day running of an organisation, such as database or email. According to a recent report by analyst house Gartner, the cloud computing community has received reports of 14 outages and consequent lost data and security issues throughout 2009, an increase from just one in 2008 (‘Gartner on cloud computing’, 2009).
As most cloud computing service providers will not guarantee the security of the data they store, this may put organisations in breach of their requirements under the DPA to ensure an appropriate level of security. Furthermore, companies regulated by the Financial Services Authority are required to have adequate risk management systems in place, and any failure to comply could result in a considerable fine. In light of this, organisations must realise that accountability for valuable business data cannot be as conveniently outsourced. Therefore, when considering a cloud-based service, organisations should look into various solutions which not only protect them from the well known malicious threats, but enable them to fully comply with applicable regulations to protect their own sensitive data such as credit card details and customer data.
Selecting the correct cloud solution
When selecting a cloud solution, it goes without saying that organisations should look for efficient and customisable offerings that do not compromise data and which also enable savings on their capital and operational costs. The problem is, that there are multiple vendor offerings on the market that address these needs. Organisations need to consider an overall cloud based service that provides data privacy and regulatory compliance by ensuring that confidential data remains in a dedicated cloud with clear security boundaries. Only then will they be able to ensure that confidential data remains within the corporate boundaries and is not stored in the public cloud.
Organisations must also remember that management will always be responsible for protecting company and customer data. It is, therefore, essential when moving applications and data towards the cloud that companies consistently ensure the health of the cloud-provided services. This includes gaining complete confidence that the cloud provider is a viable, stable business with assurances and protections, such as comprehensive risk and security defences in place, to safeguard business data.
Alongside guarantees from the cloud provider, businesses must also ensure that they have an alternative strategy in place in the case of any disruptions or loss of connectivity to the cloud-based service. This includes awareness of the providers’ fallback plans and commitments that may jeopardise valuable information. Businesses also need to bear in mind that any interruptions to cloud computing providers may have to be dealt with on both a short- and long-term basis, depending on the nature of the disturbance.
However, guarantees from your cloud provider are all well and good, but they can’t stop Government enforcing regulation. The current criminal justice and immigration bill states that the UK Information Commissioner has the power to levy fines on companies who recklessly lose confidential or personal information. This means that it is now more important than ever for organisations to protect themselves from the loss of sensitive data in the cloud, particularly as the level of fines could run to millions of pounds.
In summary, it appears that with many organisations moving their business applications online, cloud computing is here to stay. While businesses should always protect themselves from malicious threats such as malware, trojans, botnets and phishing attacks, there are still major concerns about whether organisations can have complete access and control their sensitive data in the cloud. It is therefore imperative that when searching for a cloud solution, companies consider a service that protects them from data loss.
