Page 16 - CDM Cyber Warnings February 2014
P. 16
I�m frequently asked if I think data is inherently more about which parties (data owners, data controllers, local
secure when kept on-premise vs. in the cloud. My answer governments) had jurisdictional control of the data as
invariably is no, you cannot make such a sweeping being key barriers to public cloud alternatives.
statement. Organizations with lax data governance and
security procedures have experienced data breaches with
information stored on-premise. And there are many cloud
service providers that take security quite seriously, maybe
even more so than some enterprises.
But many larger enterprises and government organizations
have invested quite a bit in security, data privacy, and
compliance over the years, and, as a result, are confident
in their capabilities. They are scratching their heads as they
look at the public cloud, struggling to see how they can
leverage these techniques and their organizational
strengths in the new paradigm of public cloud use. Said
another way, the key concern they have about the public
cloud is that they typically need to relinquish control of
data privacy, security and compliance to another party –
the Cloud Service Provider. As a result, any techniques or For example, suppose you are a UK organization using a
approaches that enable organizations to retain control of U.S.-based cloud service provider – the provider offers you
sensitive data while giving them access to the benefits of a primary data center in located in Dublin, Ireland, but the
cloud use are extremely appealing. back-up data center is located in the U.S. While it is
beneficial that the primary location of your data will be in
“Whose laws apply as the EU (Dublin), you still need to consider the implications
of your data flowing to the U.S. in situations where the
data moves from country secondary data center needs to be used. Whose laws apply
as data moves from country to country� Who has control
to country? Who has of the data at any given time� An additional complexity –
control of the data at any the cloud service provider may have customer support or
data hygiene and system maintenance personnel accessing
given time?” the environment from other countries.
This is why the discussion is broader than simply one of
Enter the Private Cloud
security, and why data residency and sovereignty has
To maintain the level of control they require, highly
become an area of intense focus for data privacy and
regulated organizations lean towards private clouds. In
compliance professionals. These sort of complexities
recent surveys of CIO�s, the single tenant aspect of private
associated with the public cloud make private clouds
clouds and their ability to give the organization ultimate
appealing – but there is a downside that needs to be
oversight over the governance and control of data access
considered. In particular, challenges and limitations of
and the location of data are highlighted as key benefits of
the private cloud include no access to popular SaaS
these environments. In fact, an IDC study from 2012
applications, a less elastic computing model when
highlighted issues surrounding lack of clarity about where
data was being stored and processed as well as ambiguity
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 16