Podcast: Cloud security, compliance and data classification

In this podcast, we look at cloud storage compliance and security, with a particular eye on data residency and auditing your data, with Mathieu Gorge, CEO of Vigitrust.

We talk about the rise of the cloud and the tendency towards data holdings in cloud storage to proliferate, especially with the ability of departments across the enterprise to spark up cloud services with a credit card.

Gorge also talks about the rise of increased geo-political risk and the ever-present need to mitigate against it, especially by means of data classification and cloud auditing.

Antony Adshead: What is changing about the cloud and its adoption that affects compliance?

Mathieu Gorge: Cloud has been around for 20 to 25 years, and we’ve spent a lot of time talking about the difference between public, private and hybrid cloud, but in the past few years, we’ve seen some new security frameworks come in to help manage the cloud.

The Cloud Security Alliance publishes some very good work there and some frameworks you can use. There is also CMMC [Cybersecurity Maturity Model Certification] in the US and guidance from ENISA in Europe.

One of the key changes we’re seeing is managing contracts with your cloud provider, and what the contracts should be about. The issue comes originally from that idea of managing the data supply chain and the lifecycle of the data.

So, you create some data and it ends up in the cloud. Where is that cloud located? What jurisdiction is it under? What kind of regulation applies, whether it’s GDPR [General Data Protection Regulation], CCPA [California Consumer Privacy Act] or maybe an industry standard like PCI or whatever?

What we’re seeing is that organisations have a main issue right now that, whereas in the past, to set up data in the cloud you needed to go through IT, now it’s more or less self-service. So, any department in your organisation can use a credit card and start some sort of new cloud recipient, so to speak.

This bypasses security and compliance, and definitely creates a nightmare for compliance, storage, backup and generic security.

That’s one of the things we’re seeing right now. Cloud providers are basically saying, ‘We’re going to help you manage the data that you entrust us with for you to be able to comply with all those regulations’.

So, we’re seeing cloud providers being a bit more proactive, we’re seeing MSPs [managed service providers] and MSSPs [managed security service providers] working with cloud providers and integrating security with cloud to make it easier for organisations to manage data.

Adshead: What impacts on storage, and backup in particular, do these changes imply for enterprises?

Gorge: Once again, we need to go back to the basics that you cannot protect data if you don’t know you have the data, and if you don’t know where that data is or who has access to it.

It’s all well and good to transfer some of the operational risk around data to a cloud provider because they are better equipped to do that, but ultimately the risk remains with you.

What you need to do is look at the contracts, to make sure you understand the SLA [service-level agreement] to get your data back, but you also need to look at the geo-political risks at the moment.

Perhaps you have some data in a country that is no longer stable. We’ve seen the issue with Russia and Ukraine. We’ve seen a lot of western organisations losing data and information in Russia. Even though you might have a backup, the issue is that the Russian government can look at your data.

It would be advisable for everyone to map out all the different cloud providers they have worldwide, to understand whether they need a table-top exercise on how to exit the country from a cloud perspective and then transfer the data and erase it, as much as is legally possible, from those countries you are exiting.

Contracts are key, understanding what type of data needs to go into what cloud. And also, understanding the security requirements, but also the security features that come from the cloud provider for each type of data. A lot of mapping and data classification, and of course security, is a journey, not a destination, so it all needs to be done on an ongoing basis.