Cloud solutions, including cloud-based data backup, email, virtual desktop and other communication tools, have increased dramatically since 2015.
The 2018 Global Cloud Data Security Study conducted by Ponemon Institute found that companies, on average, are using 27 cloud applications.
The study showed that the number one reason for selecting a particular cloud provider is efficiency (42% of respondents), followed by cost (39%), and cloud data security is only ranked fifth (23%) out of 9 criteria.
While efficiency and cost are important in choosing a particular cloud provider, it’s equally important to factor in security along with these top criteria.
Here are the top reasons why cloud data security is important:
It’s important to consider security in choosing a cloud provider as critical data are stored in the cloud.
According to the Ponemon study, primary types of data stored in the cloud are customer information (59%), email (49%), consumer data (47%), employee records (38%) and payment information (39%).
Because of the nature of the data stored in the cloud, this has become the target of cybercriminals.
While there are benefits of cloud computing, there are privacy and security concerns too, the Office of the Privacy Commissioner of Canada (OPC) said. “Data is travelling over the Internet and is stored in remote locations. In addition, cloud providers often serve multiple customers simultaneously,” OPC said. “All of this may raise the scale of exposure to possible breaches, both accidental and deliberate.”
In June of last year, a Birmingham, Alabama-based healthcare company publicly acknowledged that it was a victim of a cyberattack that went on for months.
According to the healthcare company, the cyberattack was a result of a security breach at the facility of its cloud provider. The healthcare company said it only knew about the security breach after the cloud provider sent a notification regarding the attack.
Critical data of the healthcare company which may have been illegally accessed by cybercriminals as a result of the security breach at the cloud provider’s facility include patient’s name, address, email address, telephone number, medical record number, patient ID, physician name, health plan/insurance number and Social Security number.
Another cloud data breach – probably the most notable in recent memory – was the cloud data breach at Uber.
In November of last year, Uber CEO Dara Khosrowshahi publicly acknowledged that in late 2016 two company outsiders illegally accessed Uber’s user data stored on its cloud provider’s cloud-based service.
Khosrowshahi said that the two individuals were able to download Uber files, including names and driver’s license numbers of over 600,000 drivers, and personal information of 57 million Uber users around the world.
Regulations from different governmental bodies are another reason why cloud data security and why choosing the right cloud provider is important.
Moving your organization’s critical data to a cloud provider is a form of outsourcing. According to the OPC, your organization is still accountable for protecting your customers’ personal data despite engaging the service of a cloud provider.
“Given that the organization transferring this information to the provider is ultimately accountable for its protection, it needs to ensure that the personal information is appropriate handled,” OPC said.
Under Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy legislation, an organization that collects personal information is accountable for the data collected even when such data is outsourced for processing to third-party providers – an example of which is a cloud provider.
Under the Digital Privacy Act, a law that amended PIPEDA (still not in force in the absence of “Regulations”) states that organizations could face fines of up to $100,000 for failing to inform the affected individuals and the Privacy Commissioner about data breach.
Another law that demands cloud data security is the General Data Protection Regulation (GDPR) – a European Union (EU) law that’s set to be implemented this coming May 25th.
While GDPR is mainly an EU law, it has an “extra-territorial” scope, which means that even if your organization isn’t based in the EU, your organization is still covered under this law if your organization processes personal data of EU residents.
This law requires any organization processing personal data of EU residents to protect the data “from the onset of the designing of systems, rather than an addition”. Under GDPR, breach notification will also become mandatory, requiring organizations to notify authorities within 72 hours of first having become aware of the breach, and to notify affected customers “without undue delay”.
The maximum fine under GDPR is 4% of the annual global turnover or €20 million, whichever is higher.
Sixty percent of respondents of the Ponemon study believe they aren’t ready to comply with the GDPR, while 88% of respondents expect the GDPR will require nominal to significant changes in cloud data management.
In choosing a cloud provider, see to it that the following security measures are in place to protect your organization’s cloud data:
Encryption is one of the tools to mitigate the risk of intentional and accidental data breaches. This risk mitigating tool converts your organization’s plaintext data into scrambled text using mathematical algorithms. This effectively converts data into unreadable text until such time that a decryption key is applied to convert it to readable material. In selecting a cloud provider, determine the following:
In choosing a cloud provider, make sure that the provider has in place appropriate authentication/access controls. A stronger method of authentication, such as multi-factor authentication, is recommended.
“Cloud computing offers benefits for organizations and individuals,” OPC said. “There are also privacy and security concerns. If you are considering a cloud service, you should think about how your personal information, and that of your customers, can best be protected. Carefully review the terms of service or contracts, and challenge the provider to meet your needs.”