Shifting to Software-Defined
cancel
Showing results for 
Search instead for 
Did you mean: 

Are you in control of your public cloud data? Maybe. Maybe not.

GaryThome

 

Head in the Sand image.jpgIn today’s digital world, data is the new oil. And like oil, data must be gathered and refined in order to extract value from it. Your business is probably doing just that -- gaining a treasure trove of information that helps you become more competitive.

If data is indeed that valuable, it makes sense to be vigilant in protecting it. Yet, when you put your data in the public cloud, have you considered that you may be giving up a fair amount of control? To investigate this claim, consider three key concerns in the public cloud: protection, compliance/data sovereignty and legal issues.

Protecting your data – implicitly trusting your cloud provider

Because data is critical to running a businesses, it is logical to be actively involved in protecting it. Yet, according to a recent press release by CTERA, two out of three companies using the public cloud are not focused on backing up their applications at all. Why? Because they believe that the cloud is more resilient than on-premises applications, a belief that facts don’t necessarily support. And a majority of organizations rely solely on their cloud providers to run backups, even though most admit that any loss of data in the cloud would be catastrophic to their business.

Another study by security firm Netskope found that 48% of companies surveyed don't inspect their applications in the cloud for malware and 12% weren’t sure if they did or not. Of those that do inspect, 57% said that they found malware. According to another report by the same firm, almost half of the cloud malware they detected in cloud apps were common ransomware delivery vehicles.

Bottom line: just because you put your data into the cloud, it doesn’t mean it is protected and secure. It’s still your responsibility to ensure backups are getting done, and your data is being checked for malicious malware.

Compliance and data sovereignty – YOU are responsible, not your cloud provider

One of the biggest problems with maintaining compliance in the cloud is simply knowing where your data is located. During an audit, you need to prove the location of your data along with the measures that are in place to protect it. You also must document the level of access for each user and how these levels are maintained. You can’t just assume that your cloud provider has security controls in place and that they are being used properly.

In late 2015, the 15-year-old Safe Harbor regulations expired – a regulation that made it easier for American businesses to comply with more stringent data protection laws in Europe. Several months later, the US-EU Privacy Shield agreement was signed, which mandated stronger policies. And the General Data Protection Regulation (GDPR) is scheduled to be enacted in 2018, putting in place even stricter mandates along with severe fines for non-compliance.

What do all these changes in data sovereignty mean to public cloud providers and to those who use their services? GDPR makes it more complex and harder to comply if you store your data in the public cloud. And if you think compliance is the cloud provider’s problem and not yours, think again. The business -- not the cloud provider-- is considered to have primary responsibility. And as of September 2016, only 6% of cloud providers claimed they were compliant.

Bottom line: you must ensure that you are compliant and be able to show auditors this information. Although you can outsource operations to a cloud service provider, you can’t outsource your responsibility. 

Legalities -- once you move your data, do you really still own it?

The Fourth Amendment was designed to protect U.S. citizens against unreasonable search and seizure. Although the Supreme Court recognized telephone calls as protected (almost 100 years after the telephone’s invention), no such precedent exists for public cloud. And that’s because an exception called the third-party doctrine states that citizens have no expectation of privacy when information is disclosed to a third party such as a public cloud provider.

Currently, the government can search information stored in the cloud without you ever knowing about it. The cloud provider is informed, but a gag order may keep you from ever knowing.  Different countries have different laws, and the legal system appears to be changing.

Bottom line: when you put your data in the public cloud, be aware of where it is being stored and what the laws are that govern it.  Chance are, you are giving up some amount of control.  Although it’s technically still your data, you may not even know if it is being accessed.

It’s your data and your responsibility

Companies are turning to the public cloud for a variety of reasons. Yet, putting all of your data in the public cloud without considering data protection, compliance/sovereignty, and legal issues could lead to some big headaches. Don’t bury your head in the sand. Remember, it’s your data—your intellectual property, your analysis, and your competitive advantage!

As I wrote in a previous article, businesses need to determine which workloads should be in the public cloud and which ones should remain on traditional IT or a private cloud. Due to new technologies, such as hyperconverged platforms and composable infrastructure, keeping your most valuable data on-premises is now easier, faster and more cost-effective than ever before. 

To learn more about Hybrid Cloud Security, download the HPE Hybrid Cloud Security for Dummies.

To find out how HPE can help you determine a workload placement strategy and how to best meet your service level agreements, check out HPE Pointnext.

Gary

Follow HPE Composible Infrastructure

0 Kudos
About the Author

GaryThome

Vice President and Chief Technology Officer for the Software-Defined and Cloud Group at Hewlett Packard Enterprise, passionate on all things technology, operating in the data center either physically or virtually.

Events
June 5-6, 2018
Online
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
June 19 - 21
Las Vegas, NV
HPE Discover 2018 Las Vegas
Visit this forum and learn about all things Discover 2018 in Las Vegas, Nevada, June 19 - 21, 2018.
Read more
View all