IDC has predicted that by 2020, 90% of organisations will use multiple cloud services and platforms. So it comes as no surprise that managing and protecting data in the cloud was a hot topic at the recent AIS ICT Management and Leadership Conference.
Storing data in the cloud raises many questions about data governance and compliance. Who is ultimately responsible for protecting an organisation’s data? Is data security guaranteed in the public cloud? What steps need to be taken to ensure iron-clad data protection?
This take on data tackles the question of who is responsible for data in an organisation and debunks some common assumptions around data protection in the cloud.
Whose job is it to protect your data?
When data is stored in an on-premise data centre, it makes sense that your IT team is responsible for protecting it. But when that data is moved to the cloud, the line becomes blurred. In this instance, the responsibility of data protection is shared by your internal team and the external cloud provider.
Under the “shared responsibility model”, the cloud provider is responsible for the security of the cloud itself, while your organisation is responsible for security and compliance requirements for your data in the cloud.
Source: Digitalist Magazine
At an organisational level, data should be as heavily protected as you would protect a physical asset. Everyone within an organisation has a role to play and a direct impact on data protection. This includes:
- Education of all users to ensure security best practice – awareness of phishing scams, strong password management, enabling multi-factor authentication and so on.
- Identifying business-critical data at a management level and implementing industry-recognised processes and technology to protect it.
- Ongoing education of IT teams to ensure compliance with industry standards and regulations such as the GDPR.
Even the most secure platforms are open to vulnerabilities
Data platforms may be inherently secure, but it is your responsibility to ensure your access to and processes around accessing data on these platforms is secure.
A classic example of this is cloud storage. The cloud platform may be resilient and secure, but through misconfiguration or mismanagement you can easily expose your data to the public.
The statistics here speak for themselves. According to the Office of the Australian Information Commissioner (OAIC), 34% of notifiable data breaches that occurred between 1 April and 30 June 2019 were caused by human error.
With more than a third of data vulnerabilities resulting from users’ actions, you simply can’t afford to rely on the security of the platform itself to ensure protection. Organisation-wide user education is paramount.
Backup is no guarantee
If you store business-critical data in the cloud, it is imperative to be clear on how your data will be protected in the event that something goes wrong. Don’t assume that your data is protected or backed up by default by your provider.
There are no guarantees for data backups in cloud environments, so it’s up to you to ensure configuration and security practices are in place to protect your data. This could be a case of having on-premise backups of your most critical data or choosing a cloud-based backup service.
Data classification, compliance and governance
Data is the lifeblood of any organisation. It isn’t just an abstract concept; it’s critical to conducting day-to-day operations and often the key to differentiating your organisation from the competition.
Classifying data enables you to identify what data is most important to your organisation. Once classification is complete, you can build a holistic data protection strategy, placing stronger protection strategies in place for critical data, and moderate strategies in place for less critical data.
In tandem, every user must be educated on the value of an organisation’s data and comply with best practices for data access and protection.
Working with a trusted partner can help you develop a complete data strategy covering hardware, storing data in the cloud, backup and user education.
Protect the privacy and integrity of your business-critical data with the right approach to data protection. Get in touch with Somerville’s data protection specialists to discuss a solution that fits your organisation’s requirements now, and in the future.