Navigating trusted cloud considerations: Transparency, security, privacy and compliance

This post was authored by Sean Pike, Program Director, eDiscovery and Information Governance, IDC.


It is absolutely true that the cloud is rapidly becoming the mode of choice for IT operations. My colleague Rick Villars wrote that we're just a couple years away from cloud overtaking traditional datacenter implementations and becoming the predominant infrastructure model. It's certainly not difficult to imagine. Cloud has already enabled mobility freeing workers from the tethers of physical office spaces. Cloud has accelerated innovation and enabled accessibility by being easy, available, and always on.

In fact, the maturity of certain cloud offerings has transformed some business processes so dramatically that data or communications may rarely enter the four walls of the enterprise. Consider highly mobile sales or consulting forces, for instance, who rely on mobile devices and cloud-hosted enterprise file sync and share (EFSS) platforms and cloud-hosted email to perform the bulk of their business activities. Given the efficiency and possible savings that cloud solutions can offer, it's no wonder that IT buyers and solution providers alike frequently ask me to help evaluate cloud product strategies and buying decisions.

More often than not, those conversations start with a seemingly innocuous question: "Does it make sense for my industry x, y, or z to consider cloud hosted solutions?" It's a completely loaded question. While the answer is almost assuredly yes, there are two much more important questions that need be answered.

First, before answering for specific industries requires, there needs to be a discussion of the specific product or service being offered. Why? In short, compliance and risk. Companies operating in certain regulated industries or geographic locations must be cognizant of the national and local rules, laws, regulations, and customs that govern business activities and data security standards. This alone can be quite the challenge. As an example one prominent law firm I spoke to recently compiled a 179-page document aggregating data privacy law in 41 non-U.S. countries.

In the U.S. nearly every one of the 50 states plus U.S. territories also have state laws directed at data privacy. It’s a lot to navigate. Just these laws alone can dictate how data is stored, transferred, or disposed of. Add in industry specific regulations and standards related to healthcare, financial services, credit card processing and retail environments and the cloud-hosted product and services question becomes well… cloudy. In order to judge whether cloud solutions are viable the discussion must be centered on specific use cases, data implications, and risk as opposed to broadly defining an entire industry.

But wait, there’s more. The second need-to-know question is additive to the first. Above, I described how individual use cases and specific cloud hosted solutions can be affected by standards in regulated industry and how those rules can vary by geography. Next, I ask: How much visibility do you have into your cloud solution or service provider? It's important because visibility provides another opportunity to reduce overall risk. Assume for just a moment that you've selected a cloud provider to host private data. Do you know where the data is physically stored? Do you fully understand the cloud provider's replication or disaster recovery scheme? Is your vendor committed to transparency? Failing to understand the answer to each of these examples can greatly affect your company's risk profile or even place your company in a state of non-compliance. Given that U.S. and European regulatory bodies are now prone to doling out multi-million dollar fines for negligent data handling or security practices, it behooves companies to fully understand exactly where their data is and how it's protected.

Beyond compliance considerations, fully realizing effective data, process, or application security is also important. It is generally accepted that there is a dearth of security talent available for hire in private industry. There are just too many security challenges, too many complex and highly specialized systems, and too few well-trained individuals and budget dollars available to meet every businesses' needs. This constraint is accelerating cloud adoption. Companies hope that infrastructure consolidated within a smaller cloud-hosted footprint will reduce the amount of security workload by leveraging common architecture and offloading certain security functions to more skilled PaaS or MSSP staff.

In this way companies have shown willingness to cede control over certain security functions in return for more cost-efficient and effective controls. IDC expects that this model of offloading security services to PaaS providers or through Cloud-Hosted Security Services (CHESS) will continue to increase. This may become especially true as Digital Transformation (DX) shapes the value of data and the world becomes heavily reliant on autonomous systems driven by data. In these cases, data must have high levels of integrity and availability requiring uncompromising security and constant compliance.

As enterprises wrestle with evaluating cloud services appropriate for their business needs and risk and security posture, Trusted Cloud partners can provide enterprises with the following security and compliance benefits and more:

  • Standardized architecture
  • IT automation services
  • Data visibility and data control mechanisms
  • Identity and access management services

To fully realize the promise of the cloud it is important to select a trustworthy cloud service provider that is transparent about principles and practices, understands and helps you meet your global compliance requirements, and takes a principled approach to the security and privacy of your data.

Comments (0)

  1. For all the sound and logical guidance in this article the attitudes of businesses are riding roughshod over data governance and privacy protection. Many US companies doing business with the EU and vice versa are falling foul of the EU data privacy export rules. With some of the worst examples being set by conscious data privacy abusers like Google, Facebook, Amazon and many unwitting smaller US based SaaS and hosting providers.

    When it comes to standards, in our hyper-connected world they are in an ever increasing state of collapse. With many standards either industry/sector focused or implemented to industry or sector specific adoption frameworks, they are NOT designed well for interoperability across horizontal operational integration or down through diverse API based supply chain dependencies. Furthermore, ISO definition and refresh process operate to old world timescales that leave them behind the curve in the fast moving innovation world of today. I am not suggesting they are redundant but they offer too many false illusions of security. Just look for yourself at how many times have we heard of Cyber breaches in organisations with current ISO 27001 and other standards in place?

    Standards based information Governance is no replacement for proactive threat based risk management. Threats that do not conveniently operate within the guidelines of standards but work the cracks and sail through the joins. Cyber threats are transforming the traditional Governance, Risk and Compliance landscape, rendering many high friction and cost. This drives a new approach and new breed of security officer, the Cyber Security role. Read more at ‘Land, sea, air and space ….. now Cyber’.

Skip to main content