Walking the Tightrope of Cloud Security
Interesting article, To Err Is Human; to Indemnify, Divine?: Human Foibles in the Cloud, authored by Tanya Forsheit, and published in Data Privacy Monitor, that looked at both the enterprise and the cloud provider for owning responsibility of security in the cloud. Security is still an issue of reluctance for organizations thinking about adopting the cloud. And rightly so, with the dramatic rise of data breaches and hacking, organizations should be confident that their information is safe.
Although the cloud adds additional concerns, many of the same issues exist in on-premise only environments. so I’m not sure why the ‘let’s throw up our hands attitude’ is so prevalent. Back to the article. It is well reported by both the Ponemon Institute, and now BakerHostetler’s inaugural ‘Data Security Incident Response Report‘ (the “Report”) that concluded employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that they handled in 2014. Nothing new, except to confirm findings from the past several years.
The viewpoint expressed was an atypical response. That there is risk both for the organization and for the cloud provider. The author broke down the two perspectives as follows:
- “If I am an enterprise customer and my cloud provider disclaims all liability or indemnification obligations for data security breaches except those resulting from the provider’s own willful misconduct or gross negligence, how can my company protect itself from plain old negligence (not just willful misconduct or gross negligence) of employees of the cloud provider?
- If I am a cloud service provider, how can I agree to accept unlimited liability for the mere negligence or wrongful conduct of employees and still provide cloud services at a low price point to thousands of enterprise customers?”
Obviously both perspectives are sound, if not logical. As far as I am concerned, the organization has to clean up its own house (errgh – cloud) first. Why on earth would a cloud service provider accept unlimited liability, as the ‘human’ element is one of the greatest sources of data breaches? But, how then does the cloud service provider more or less, test the organization’s environment so the cloud provider is willing to take more risk? Or do they just say, ‘sorry, we’ll do what we can, but you’re on your own’.
I do think it is a valid dilemma. Although, I do believe there is a certain amount of fear expressed by organizations but I am not sure if they really understand the issues.
What do you think?