• Alasdair Anderson, VP of EMEA at Protegrity


• 01.08.2024 03:00 pm
#security #migration #data

Since the world went digital the value of data has been unprecedented, and as businesses race to adopt the latest tech to optimise and monetise their data it is set to increase in value at an exponential rate. However, whilst data is widely regarded as an organisation’s main asset, data accountability is rarely owned, which can lead to errors that incur fines, loss in consumer trust, and impact brand reputation. To ensure best practice, organisations should apply caution when considering their next step in digital transformation, such as when migrating data to the cloud.

Who Are You Giving the Keys to?

Utilising cloud software promises real-time data sharing and increased innovation through analytics, which can be beneficial to business growth. For fast-paced business environments and busy cybersecurity teams, it is attractive to opt for a third-party cloud vendor as it appears to be a simple solution, and robust cybersecurity measures can be assumed. On the surface it is simple, however, further investigation provides concerning insights. Firstly, when a customer uploads data to the cloud, they surrender control of their data. Publishing data to the cloud gives the third-party permission to copy or move data without consent – sometimes to locations even the cloud isn’t aware of. Cloud platforms are nebulous, leading to organisations often having their data spread across multiple levels, making it difficult to monitor and the risk of data loss a real threat. Further, when data is placed in the hands of another vendor, it possesses the passwords and encryption keys needed to secure the data. This means that data can potentially be accessed in its pure state by anyone, including partners. Publishing data to the cloud without considering data privacy is akin to giving a stranger the keys to your shop and trusting them to lock up.

The main issue here is data accountability. Results-driven organisations, perhaps too separated from their sensitive data, are looking for quick ways to optimise their data and share the responsibility. Unfortunately, in an eventual cloud breach, as cloud security offerings are often found to be lacking, cloud providers will find a loophole to pass the responsibility back to its user. As such, the first step in achieving responsible cloud migration is for an organisation to recognise ownership and responsibility to the valuable data it possesses. Ultimately, the success in migrating to the cloud relies on data accountability and ensuring all members of the team understand the privacy policies surrounding it. Establishing a culture of organisational security and recognising the worth of one’s assets will make it less likely for the keys to be handed to a stranger without a background check.

Cloudy rules for data compliancy

Cloud providers don’t provide physical infrastructure for audits, nor are consumers permitted to verify vendor security, making background checks difficult. It instead relies on an honour system, which is in contrast to the standard practice in vendor data security of ‘trust but verify’. In this instance organisations may find that publishing data to the cloud immediately conflicts with their internal data security policies and regulatory compliance requirements, running a risk of incurring large fines when subjected to a compliancy audit. When deleting data from the cloud the element of hazy trust appears: consumers cannot verify if their data has been deleted; it is at the discretion of the cloud vendor.

Considering threats to data control and compliancy make cloud migration seem too risky a venture, and may cause concern for those in the midst of a cloud migration journey. This may make an organisation and its cybersecurity team feel caught in the crosshairs of competitive innovation, security, and data-compliancy challenges. However, prioritising data-centric security measures can provide a holistic approach to mitigating risks in the cloud environment and reap the benefits of its usage. Partnering with a data protection platform in this instance can provide support with enhanced security and ensured compliancy.

Groundwork ensures secure results

Migrating to the cloud with the use of a third-party data protection platform can be a comprehensive solution to support responsible cloud migration for even sensitive data. Take for example the case study of a global bank that used a data protection platform to migrate 70% of its workloads to the cloud. The challenge was to implement highly scalable serverless data protection for its big data, containing information such as salaries and personally identifiable information (PII). Thanks to collaboration between diverse teams, thorough planning, and considering data security at every step between both technology and organisational structure, the project was a success. The bank now enjoys modernised data applications, automation, and security measures.

To ensure lasting success the bank prioritised policy, safety, and simplicity. Its team assessed why it wanted to make use of the cloud, which informed the understanding of what data was worth uploading. It is an essential step when assimilating any new technology, or to anonymise data through privacy enhancing technologies (PETs) like encryption or pseudo-anonymisation. Utilising a data protection platform ensured that the key to encrypt and decrypt the data didn’t need to go to the cloud. With the data effectively secured, the bank could opt to place its anonymised data in one central account: making its data more straightforward to audit, monitor, and manage accesses. The entire process was carefully risk assessed before execution, run through rigorous testing, and its results were carefully audited and monitored before implementation. In responsible cloud migration, being methodical and risk aware garners the best results, and ensures all data is safe and uncorrupted for future operations.

Prioritising Data Simplifies Cloud Migration

Whilst cloud migration creates a multitude of security and privacy concerns, if approached with a data-centric mindset it can be effectively executed whilst ensuring data compliancy and mitigating risk. Focusing on data security and partnering with a data protection platform provides a simplified, scalable pathway that reduces overall costs and risk of data breaches. A data security platform provides layers of protection such as PETs, a zero-trust framework, and enhanced overall security, lowering a company’s risk profile and still driving innovation.