Information security in any public cloud can meet contractual commitments and still allow your data to escape into the wild. This discontinuity is the subject of articles across the web, including documented cases of secure infrastructure plus lax polices equaling a data breach.
Cloud providers for storage, services, application, infrastructure, etc. provide services and pricing that many executives and end users find enticing. The per-click, per-gig or per-transaction-only fees get our attention. The built-in redundancy, access from anywhere and ownership-eliminating possibilities cause us to think, how can this be a bad thing?
Finally, the rigorous security compliance standards that some cloud service providers meet allows us to think, this will be OK. And it can all go very bad with one click.
Securing cloud data requires more than moving your data to a cloud provider with NIST, ISO, PCI or other certifications. While certification is a great starting point, it is not an end, much less the end for data security. Securing your customer data is your responsibility whether in a public cloud or buried in an underground vault. To be an effective data custodian you must understand the security requirements for the data you store, actively manage how you store them, be aware of the ways a data loss might occur and actively ensure data security.
Unfortunately, these are postmortem indicators for many organizations; they are not well understood until data is lost and lawyers begin to ask questions. Clearly that is the wrong time to understand data security requirements. It is also a bad time to learn that your cloud provider did everything they were contractually bound to do and that your policy, process or lack of attention created the opportunity for a data breach.
To prepare for data in a public cloud, XaaS or any shared data security responsibility you need to know your responsibilities as well as the acceptable actions that create a compliant organization and a defensible position. Do you? Many people from frontline customer representatives to the top-level executives do not know how to create a secure and compliant organization. Unfortunately, people assume that if provider XYZ is 123 compliant, all data, transactions, connections and retention occurring in the provider’s cloud is also 123 compliant; nothing could be less true.
For example, a blog posting with the administrate ID and password to your primary customer database now hosted at provider 123 is not secure or compliant with any standard. The provider is doing everything right, but cannot protect you from yourself. Only your organization training and security practices can protect your customer data, no matter the storage or processing location.
How much security do you need? What are the steps required to be standards compliant? When do the standards apply to your organization? These are questions to ask and things you need to learn, but your cloud provider may not have the answers. The logical twist created by the current rush to cloud everything is that knowing the answers to these questions before you select a cloud provider will help you find the right partner, one that meets your defined business needs and protects your customers’ data.