Who is ultimately responsible for data security in the cloud?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=2058

A recent report following Infosecurity Europe 2014 suggested that 43 per
cent of organisations had no enterprise visibility or control into whether
employees were putting sensitive data into the cloud. Furthermore, a new
survey has shown that almost half of firms say they already, or plan to,
run their company from the cloud. Both of these findings clearly
demonstrate just how integral the cloud is becoming to businesses.

With increased reliance on cloud computing and so much data being entrusted
to it, the question must be asked: how do cloud providers ensure that
business data is secure and where does responsibility for data security
ultimately lie?

It is important to first consider who would be to blame for a data breach
should one occur. While it could be the cloud service provider, it could
just as likely be the company that has not fully researched the security
procedures in place before opting to put confidential data into the cloud.
It is essential for companies to act on due diligence, although even those
taking reasonable precautions will not stop the most resourceful of
attackers.

Ensuring data security within the cloud

Cloud providers are keen to impress that the data businesses store in the
cloud is secure. Verifying data integrity and availability are the best
understood methods of doing so, while user authentication and granular
access control are still not very well developed. Software assurance,
meanwhile, is still in its infancy as was witnessed during the impact of
the Heartbleed bug.

Entrusting the cloud with confidential data does not necessarily decrease a
company’s security strength, but it very much depends on the company and
the sector it operates in. For some, perhaps most, it is better to buy
cloud storage solutions off-the-shelf because the expertise to create a
better solution simply isn't available in-house. This doesn't mean that
each company shouldn't do its own risk assessment first though, of course.

In terms of identifying the most effective method for a company and its
cloud provider to ensure data is secure together, there is no panacea.
Setting clear expectations and goals is important and key questions should
be considered, for example: Where is the data going to be stored and under
what jurisdiction? How is it going to be secured? What are the likely
threats and how will these be mitigated? Who is responsible for what
aspects of the operation? These and other questions should be answered in
the form of a comprehensive services contract before agreeing to work with
a cloud provider.

The need for enhanced cloud education

As we ourselves explored at Infosecurity Europe 2014, more education is
needed regarding the cloud and companies should seek advice in order to
understand the processes involved in ensuring data is secured effectively.

The IT security industry has been doing a pretty good job explaining the
existing risks and solutions to individuals, but to inform and educate
businesses and Governments is a much taller order. At Bitdefender, we
believe the training and skills development programme provided by
ITU–IMPACT is very useful, not just for critical infrastructure industries
but also as a template that could be replicated throughout the rest of the
private sector.

The worst thing that we can do is to let criminals do the educating for us.
Pain is a good teacher, but it can also be crippling. Industry and trade
associations have a big role to play here, as does the Government.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!