No enterprise should build a cloud computing strategy without taking into consideration security and risks. Although cloud infrastructures can deliver transformational benefits to enterprises, they need to be mindful of data protection and compliance requirements in the countries they are operating in.
New data privacy regulations are being legislated in multiple countries such as China, Russia and Australia as well as across 28 nations in the European Union. This implies that global enterprises are now required to comply with these new regulations.
UK Information Commissioner Elizabeth Denham warned in May 2017 that businesses are not adequately prepared for one of the biggest overhauls in data security and privacy legislation to hit the global business community: the General Data Protection Regulation (GDPR).
This regulation will come into effect a little over a year from now on May 25, 2018. Many enterprises do not fully understand the legislation, let alone the amount of effort required to comply with GDPR, she said.
GDPR affects companies worldwide if they process the personal information of EU citizens. Failure to comply can result in harsh penalties, amounting to €20 million or 4 percent of global revenues, whichever is greater. In addition, GDPR imposes unprecedented rules that will affect how businesses deal with data subjects.
Therefore, how businesses configure their cloud computing applications to meet GDPR requirements is paramount. An example of such a concern is as follows: under existing rules, companies can rely on blanket consent from an individual to use their data for different things. With GDPR however, companies must gather explicit consent when using the same set of data for different purposes, such as use in marketing, sales or support maintenance purposes.
The new data portability requirements allow individuals to view the data that a company holds about them, and they can also request a copy of the data in machine-readable form and send it to another service provider of their choice. This rule includes data held with third-party cloud service providers (known as “data processors”). Companies are required to comply with the new regulations within a month.
Businesses must ensure that the cloud-based services they subscribe to are able to support such data retrieval requests. They must also follow a plethora of new guidelines dictating a secure systems design, and the need for ongoing privacy impact assessments when making changes to their data processing systems.
GDPR also upholds requirements governing cross-border data transfer in between EU member states and other nations. It is part of a growing trend in which regulators are imposing greater scrutiny to where the consumer’s data is stored.
“Data privacy and sovereignty has come into the foreground in recent years because of personal data records increasingly captured by our customers,” says Derrick Loi, senior director for Orange Data Centre and Cloud, Asia Pacific, at Orange Business.
“Governments are increasingly concerned, and they indicate that companies are required to host that personal data on the soil where the consumer resides, and therefore be protected by local legislation,” he says. This focus extends outside of EU member states, including China and Russia.
Data sovereignty laws present a challenge for multinational companies, says Loi. These companies must ensure that sensitive data is restricted to specific geographies, even though companies still want to take advantage of the flexibility that cloud computing brings.
One of the solutions to address this set of new data sovereignty laws is to create hybrid cloud environments featuring private cloud components located in particular jurisdiction territories. Hybrid cloud enables companies to store and process non-sensitive data in the public cloud, while still abiding by local data sovereignty laws for sensitive data.
Preventing data breaches
Governments are imposing these security and sovereignty laws partly because of the threat of data being lost to external attackers.
Data breaches topped a 2016 list of the top security threats facing cloud computing, based on a report released by the Cloud Security Alliance. Infiltration of a private or public cloud computing infrastructure to steal data is a clear and present threat to companies storing data in the public cloud, said its report.
Managing data breaches in cloud environments will become even more challenging under the new GDPR legislation, which mandates that breaches must be reported to both the local regulatory body and the consumer.
To prevent security breaches, companies must adopt a more proactive stance in detecting and neutralizing cybersecurity incidents, says Loi.
“Security has evolved from passive, reactive security to proactive monitoring and threat prevention,” he warns. “Advanced diagnostic and threat remediation can detect patterns and hopefully detect threats before they even take place.”
As the volume of system events grows over time and multi-cloud environments become more complicated, complying with such laws will be challenging.
Alban Ondrejeck, Head of IT outsourcing and cloud business security at Orange Business, emphasizes that technology will play an important role in monitoring system events.
“It is important to know what is happening in real time on your systems,” he says. Companies must implement the technology to help them log and analyze these events, and deploy the human skills required to make decisions about the data they received from the events.
The race is on to bolster cloud computing security as the various new national and regional legislations, take effect.
“We will have the power of audit, and to look at accountability and data governance,” Denham reminded companies. “It’s not just about going in and investigating data security incidents... we will also expect companies to have a full [data protection] regime in place.”
Download our cloud ebook ‘Create a cloud experience your business can depend on’ to find out more about security and privacy best practices in cloud and overcoming the most common cloud challenges.
Danny Bradbury has been writing about technology since 1989. He covers consumer and enterprise technology subjects for a variety of publications including the Guardian, the Financial Times and Canada's National Post.