Your Data in the Public Cloud: Your Responsibility

In today’s digital world, data is the new necessary resource.

And like many resources, data must be gathered and refined to extract value from it. Your business is probably doing just that — gaining a trove of information that helps you become more competitive.

If data is indeed that valuable, it makes sense to be vigilant in protecting it. Yet, when you put your data in the public cloud, have you considered that you may be giving up a fair amount of control? To investigate this claim, consider three key concerns in the public cloudprotection, compliance/data sovereignty and legal issues.

Protecting your data — implicitly trusting your cloud provider

Because data is critical to running a business, it is logical to be actively involved in protecting it. Yet, according to a press release by CTERA, two out of three companies using the public cloud are not focused on backing up their applications at all. Why? Because they believe that the cloud is more resilient than on-premises applications, a belief that facts don’t necessarily support. And a majority of organizations rely solely on their cloud providers to run backups, even though most admit that any loss of data in the cloud would be catastrophic to their business.

Another study by security firm Netskope found that 48% of companies surveyed don’t inspect their applications in the cloud for malware and 12% weren’t sure if they did or not. Of those that do inspect, 57% said that they found malware. According to another report by the same firm this year, 23.8% of malware-infected files were shared with others, including internal or external users, or were even shared publically.

Bottom line

Just because you put your data into the cloud, it doesn’t mean it is protected and secure. It’s still your responsibility to ensure backups are getting done, and your data is being checked for malicious malware.

Compliance and data sovereignty — YOU are responsible, not your cloud provider

One of the biggest problems with maintaining compliance in the cloud is simply knowing where your data is located. During an audit, you need to prove the location of your data along with the measures that are in place to protect it. You also must document the level of access for each user and how these levels are maintained. You can’t just assume that your cloud provider has security controls in place and that they are being used properly.

Remove term: Cloud Analysis

In late 2015, the 15-year-old Safe Harbor regulations expired — a regulation that made it easier for American businesses to comply with more stringent data protection laws in Europe. Several months later, the US-EU Privacy Shield agreement was signed, which mandated stronger policies. And the General Data Protection Regulation (GDPR) is scheduled to be enacted in 2018, putting in place even stricter mandates along with severe fines for non-compliance.

What do all these changes in data sovereignty mean to public cloud providers and to those who use their services? GDPR makes it more complex and harder to comply if you store your data in the public cloud. And if you think compliance is the cloud provider’s problem and not yours, think again. The business — not the cloud provider — is considered to have primary responsibility. And as of September 2017, only 24.6% of cloud providers were rated “high” in a GSPR-readiness assessment, based on attributes such as location of where data is stored, level of encryption, and data processing agreement specifics.

Bottom line

You must ensure that you are compliant and be able to show auditors this information. Although you can outsource operations to a cloud service provider, you can’t outsource your responsibility.

Legalities — once you move your data, do you really still own it?

The Fourth Amendment was designed to protect U.S. citizens against unreasonable search and seizure. Although the Supreme Court recognized telephone calls as protected (almost 100 years after the telephone’s invention), no such precedent exists for public cloud. And that’s because an exception called the third-party doctrine states that citizens have no expectation of privacy when information is disclosed to a third party such as a public cloud provider.

Currently, the government can search information stored in the cloud without you ever knowing about it. The cloud provider is informed, but a gag order may keep you from ever knowing.  Different countries have different laws, and the legal system appears to be changing.

Bottom line

When you put your data in the public cloud, be aware of where it is being stored and what the laws are that govern it.  Chances are, you are giving up some amount of control.  Although it’s technically still your data, you may not even know if it is being accessed.

It’s your data and your responsibility

Companies are turning to the public cloud for a variety of reasons. Yet, putting all of your data in the public cloud without considering data protection, compliance/sovereignty, and legal issues could lead to some big headaches. And public cloud providers won’t be the ones responsible. Remember, it’s your data — your intellectual property, your analysis, and your competitive advantage!

As I wrote in this article on control over workload placement, businesses need to determine which workloads should be in the public cloud and which ones should remain on traditional IT or a private cloud. Due to new technologies, such as hyperconverged platforms and composable infrastructure, keeping your most valuable data on-premises is now easier, faster and more cost-effective than ever before.

About Gary Thome

Gary Thome is the Vice President and Chief Technologist for the Software-Defined and Cloud Group at Hewlett Packard Enterprise. He is responsible for the technical and architectural directions of converged datacenter products and technologies including HPE Synergy. To learn how composable infrastructure can help you achieve a hybrid IT environment in your data center, download the free HPE Synergy for Dummies eBook.

To read more articles from Gary, check out the HPE Converged Data Center Infrastructure blog.