With the cloud market set to be worth in excess of $200 billion in 2016, some companies are beginning to voice concerns over the security of data hosted in the cloud. Can you store all data, even the most sensitive, in the cloud? Who has access to it? How to guarantee confidentiality? What’s the “right” way to use the cloud?
Grégory Haïk, Chairman of the EuroCloud France Security Commission and startup Trustelem answered our questions.
EuroCloud France is a professional organisation made up of European cloud providers: software companies, hosting and infrastructure providers, systems integrators, consultants, resellers, etc. Every year the French branch, EuroCloud France, holds the Cloud Trophies which reward the most impressive cloud solutions. EuroCloud also initiated CloudWeek, which will take place in Paris as of 4 July 2016.
Trustelem is a French identity and access management solution whereby organisations can delete passwords and centralise access to the various applications and guarantee data traceability and security.
“DATA SECURITY IS OFTEN USED AS AN EXCUSE NOT TO USE CLOUD SOLUTIONS”
Should companies be worried about the security risks associated with storing data in the cloud?
The initial concern is a sort of wake-up call which can be very beneficial. But it should get organisations thinking and then doing something. Unless there’s a rationally-built risk management plan, the cloud can seem like fog and the internal IT system looks like a black hole.
Data security is often used as an excuse not to use cloud solutions, which isn’t a very rational way of looking at the matter. Whether the data is stored in the cloud or locally, an analysis of security should focus on the same thing: technical protection resources, the skills of the operations team, organisation and responsibility. These are the criteria on which solutions should be assessed.
People often say that the cloud is “inherently dangerous”. That’s the sort of argument used by lawyers worried about the risk of “data leaks,” IT managers who want to have total control of their system, operations managers who are worried that outsourcing will lead to redundancies, or certain traditional integrators who would rather sell a day’s services than deploy cloud solutions.
To IT managers, I would like to say that the digital transformation implies a radical transformation of the IT department, which should change from an organisation of people who perform tasks to a community of experts, whose tasks focus more on business and functional processes, security, governance, support and awareness, and less on troubleshooting.
As for the traditional systems integrators, I can only recommend that their client companies challenge them, by consulting cloud integrators and asking the providers they’ve been working with up till then to offer alternatives.
Can you put all data, even the most sensitive kind, in the cloud?
You could also ask “Can you store all data, even the most sensitive, on site?” Technically, there are some excellent solutions for protecting your data in both scenarios, in the cloud and on site. Again, it’s a question of resources, availability of skills, organisation and sharing responsibilities.
In both cases, managing highly-sensitive data is a real challenge, and it’s better to get specialists to handle it. You need to be extremely careful and devote considerable efforts to building your own top-security infrastructure.
Finally, you need to look at the issue of backups: it’s very risky not to keep an external copy of your sensitive data.
“GOOD Cloud solutionS providers ARE CLEAR ABOUT THEIR LIABILITY”
How do the various players in the ecosystem ensure data protection and confidentiality?
It varies considerably from one provider to another. From a technical standpoint, the ones who take the matter very seriously deploy their solutions in partitioned, monitored, duplicated infrastructures, deploy resources for network security, intrusion detection and prevention, monitor vulnerability and implement security incident management procedures, centralise and monitor their teams’ access to clients’ data, protect data by state-of-the-art encryption, and enable their clients to use their own systems for combining identities and centralising logs.
From a contractual point of view, good cloud solutions providers clearly state their degree of liability in terms of data protection and confidentiality and their contracts are clear and precise about apportionment of liability. Their guaranteed availability level is high and the penalties in the event of failure are substantial. The location of the data is clearly stated. Corrective maintenance and in particular security is included in the service. Compliance with confidentiality regulations is guaranteed.
Who has access to this data?
Typically, the provider’s staff have access to clients’ data. Only complex architectures based on cryptography can prevent that, and even then only for certain uses. So you should make sure that the provider applies the right internal access control measures. In any event, the provider can be held liable in the event of any data leaks they cause! A client can actually ask the provider for an exhaustive, up-to-date list of all the people likely to access their data, as required by certain standards.
“ClassifY YOUR data, TEST diffErent solutions AND PROTECT YOURSELF”
What advice could you give companies on the “right” way to use the cloud?
I’d give three pieces of advice: classify your data, test different solutions and protect yourself!
I can’t stress enough the part about testing. There are a number of factors that can enable you to rate a provider’s security solutions. There’s actually a really simple test that any company can do, irrespective of their size, to carry out an initial, reasonably reliable assessment of a cloud solution: just as the provider a few technical questions about security, and about its general sales terms & conditions. If they avoid the questions, if they’re slow to respond or use stalling tactics, run a mile! If, however, the answer promptly, clearly, in a reassuring, open way on both the technical and legal aspects, it means they probably take the matter seriously.
Where critical data is concerned, if the resources are available, I advise you investigate in greater depth, including running tests, questionnaires and multi-criteria comparisons.
Finally, with larger groups, I’d advise them to continue transforming their IT organisation because the cloud/on-site combination applies to all areas now: infrastructures, monitoring, storage and archiving, authentication, encryption, email and collaboration, business processes and support functions. In all these areas, the range of cloud solutions available is increasing every day. The decision-makers need to take advantage of them now so that all the organisation’s users can benefit from them.
Also on our blog:
=> What are the implications of IoT security?
=> Sebastien Enderle: cloud computing means being able to consume IT resources on demand