freshidea - Fotolia
We talk about the difficulties that arise as a result of being able to easily initiate cloud storage instances. The likelihood is that customers can fail to keep track of where data is, who owns it, who has access to it, how it is protected and whether it is compliant. That risk is heightened by current geopolitical events, such as the Russian invasion of Ukraine and resulting sanctions and responses.
Antony Adshead: What threats to legal and regulatory compliance does storing data in the cloud pose?
Mathieu Gorge: I think the first issue here is that we’ve got more and more data in the cloud and less and less on-premise, and that makes sense from an operational and financial perspective.
But from a contractual, legal and compliance perspective, it brings up a number of challenges. Where is the data? Who owns the data? How is it backed up? Is it actually backed up? Is it stored in a legal and compliant manner? Is it stored in the right place?
We know right now with all the geopolitical risks that if you had data in Russia, with western assets being taken over by the government, you actually lose that data – even if you have a backup, the Russian government would have a copy of it. So, we’re seeing more companies doing table-top exercises trying to understand where the data is, and what they would do if they needed to exit a country.
The main challenge is that we need to understand how many cloud providers you have, can you trust them, do you have the right contracts with them? And do you actually know where your data resides?
Unfortunately, most companies struggle with that. They don’t necessarily understand their ecosystem. It’s just so easy to start a new cloud system somewhere else, and that’s why it’s so popular. But the issue arising out of that is that you don’t necessarily have control of the data that’s in the cloud, you don’t know if it’s backed up the right way, and from a data protection and compliance perspective, that becomes a bit of a nightmare.
Adshead: What are the implications of these threats for backup and data protection in particular?
Gorge: The implications are that you may lose some data, you may not be able to retrieve some data, or access some data, and/or third parties that are not authorised may be able to access the data instead of you and copy it.
So what you should bear in mind is that depending on where you reside and depending on the type of data that you take, whether it’s credit card data, protected health information or any type of PII, you have requirements under the law and various regulations to protect that data. You need to be able to, for example, say that you are in compliance with PCI, HIPAA, or GDPR.
The challenge with that is you can only do it if you know where your data is, and if you’ve classified the data, mapped it out and specified who has access to it under what conditions.
One of the good things about cloud is that it is reasonably well-monitored by regulators and various associations. So, for example, you’ve got ENISA, the European Network and Information Security Agency, which is really active on providing cloud protection guidelines; you’ve got the Cloud Security Alliance, which is very good with cloud security metrics and a good framework to start protecting your data in the cloud. Every year, they do an event at RSA called the Cloud Security Summit.
Also, you have CNMC from the US government, which is for anyone dealing with data in the cloud for government. It’s a good framework that allows you to map out your data storage, to classify the data and demonstrate that you have the right security and compliance levels.
On balance, there’s no shortage of help to manage data in the cloud and compliance. The challenge is really trying to map out the data, because it doesn’t matter what framework you use or what technical solution you use. You need to know where the data is. There’s so much data in the cloud – and data in the cloud that you’re not aware of – and that’s creating a gap in your security analysis.
The advice would be to map out all of your providers, third parties and fourth parties, and making sure you check where your data is residing. That’s really the key.
Read more about cloud storage and compliance
- Cloud storage data residency – how to achieve compliance: There’s a conflict between cloud storage and the need to comply with local laws and regulations. We look at cloud data location, data residency, data sovereignty and data adequacy.
- Podcast – 2023 compliance and storage outlook: Geopolitical instability casts its shadow as organisations must think about cyber attacks, data location and what to do if things change quickly. We talk to Mathieu Gorge, CEO of Vigitrust.