Business leaders are often too trusting of the cloud. While on the other side, cloud providers claim they are secure – but that doesn't actually mean that your data is protected! Many consuming organizations, especially business stakeholders, have placed trust in their providers, often doing so blindly and without taking the necessary due diligence to understand what data assets they are sending to the cloud.
So, what happens to all that data that you have sent to the cloud after you, as the cloud consuming organization, have decided that the data has expired or that you no longer want it hosted in the cloud?
- In some instances the only thing that happens is that your connection to the data has been severed and the data lives on. And, as cloud is such a broad, amorphous term, if your data ends up in some unsecured file share, it could even find its way on to the Open or Deep Web.
- Many trusted and reputable cloud providers will delete instances of your data – but remember that backups and other duplications need to be accounted for too.
Another way to ensure that trace data from sensitive assets is not still floating around in a "cloud" somewhere is to ensure it has been encrypted and that only an administrator or the data owner him/herself has access to the encryption keys.
Many cloud consuming organizations still use compliance certifications to benchmark the data security their provider offers. However, compliance certifications imply that the provider has a well-controlled environment and not that the data is protected according to its usage context.
For cloud providers, placing greater focus around data security is going to be essential. As more mission-critical data is processed or stored in the cloud, the risk of data exfiltration, data infiltration, and data breaches naturally and correspondingly increases. If an incident occurs, trust that the provider can adequately protect data is lost, and that trust is very hard to regain. For cloud consuming organizations, CISOs own trust. It is, therefore, an imperative for CISOs to actively partner with business stakeholders and put more data-centric security controls in place internally to protect data—and not solely reply on the provider. To further elaborate on the notion of trust: Protecting the environment and being held accountable for data loss are two different things—more focus needs to be put on protecting what's truly at risk—which is the data, not the environment!
Evelyn de Souza is a Data Privacy and Compliance Leader at Cisco Systems, where she focuses on developing industry blueprints so that organizations can embrace cloud securely and ensure data privacy in an agile manner. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. At Cloud Security World in Boston, de Souza will lead an expert panel that will explore the question of whether data in the cloud can be completely erased. The panel will also focus on methods to better safeguard data and overhaul the way the industry approaches data destruction in cloud environments.