As the internet continues to change basic ideas about trust, safety, and privacy, it’s hardly surprising that data security remains at the top of the agenda for businesses evaluating the benefits of cloud technology.
For the large, more-efficient organisations, confidence in the cloud is growing. In the past, vendors were relatively secretive about what was happening – but today they’re much more open about the types of controls they have and the reports they can provide companies with.
Nonetheless, many organisations remained attached to their legacy IT environments and operating models, convinced that what’s held externally is necessarily safer.
“A lot of people assume that if they keep data within the company then somehow they have more control than the cloud,” says Greg Bell, global information protection and security lead partner at KPMG in the US.
“But that’s a very generic statement. Some of the more common cloud service providers have a few hundred people making sure data is well protected – it can be much better than what you see internally.
The large providers traditionally have invested large amounts in security and availability. From that standpoint you get a much higher level of comfort than with traditional security models.”
Of course risks still exist. One of the most sensitive points today, particularly in a global environment is the issue of data sovereignty. Many countries in the EU and South-East Asia have specific rules regarding data and how it has to be moved from country to country.
“When you move to a cloud service provider, they may decide to move data without your permission to multiple data centres to provide high availability,” Bell says. “You need to work with your cloud service provider to make sure your data stays in the countries you’re comfortable with. It’s the responsibility of cloud consumers to evaluate and manage that risk, usually through contractual terms.”
Attempts to intercept data are also rising and all companies are affected, according to Bell.
“A lot of clients assume they’re not a target because they’re not a big global brand,” he says. “But we’ve seen every size and scope of organisation being attacked. You can’t hide behind the obscurity level any more. I think you have to know that every organisation is at risk and they all have to weigh up that risk.”
The value of information
Having a robust data strategy that can evaluate cloud service providers empirically is the key to mitigating these risks. That means understanding the value of information assets and the control you have over them.
“Without this, it becomes very hard to make intelligent business-driven decisions about what data and business functions can go to the cloud,” Bell says. “Once you know what level of control you have internally, you can make that decision about the cloud much better. What happens in a number of organisations is that an operational or business executive makes the decision unilaterally without the involvement of the CIO or CFO. This needs to change.”
This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG in the US.