Data Security Responsibility

Digital Transformation.  The phrase is used generously in conversations lately.  In most cases, it is with reference to the cloud.  More specifically, it is about using the cloud to make business processes more effective and efficient.

Most businesses are in the throes of a Digital Transformation these days.  This means they are somewhere along the way in their journey towards converting traditional workloads to cloud workloads.

In recent conversations, I have found that many IT administrators are still a bit confused about what they still need to worry about once they’ve moved from traditional on-premise workloads to using a SaaS offering hosted in the cloud.  Do they need to still worry about power, cooling, uptime, and OS management?  Certainly not.  What about security?  And Backup?  Surely the cloud provider is taking care of that too?

As it turns out, not really.  In our experiences with customers, we often find ourselves demystifying the belief that simply entrusting their data to a reputable SaaS provider absolves the business of their accountability towards protecting the data. Cloud service provider contracts are usually carefully written to place the data security responsibility and data management responsibility on customers.  Most cloud vendors vociferously advocate what they term a “shared responsibility model”.  Simply put, this means they are responsible for the security and data protection “of” the cloud.  Whereas the customer continues to be responsible for the security and data protection of what is “in” the cloud.

There are many reasons why you should be backing up your SaaS deployments. Accidental deletion, malicious deletion, and ransomware attacks to name a few.  But most importantly, there are regulatory reasons to have regular backups.  Most regulations stress the need to keep data safe, have the ability to protect it from falling in the wrong hands, and recover it when needed.   And it turns out regulators don’t really care much if a business is now keeping their data in the cloud – they still hold the business responsible.

Regulators haven’t been completely blind to the Cloud and Digital Transformation movement.  The newest regulation in the EU that has been in the news is the General Data Protection Regulation (GDPR).  The GDPR clearly defines and differentiates between the owner of the data (the Data Controller) and the cloud provider who handles it (the Data Processor).

• Controller – “means  the natural or legal person, public authority, agency or other body  which, alone or jointly with others, determines the purposes and    means of the processing of personal data”
• Processor – “means   a natural or legal person, public authority, agency or other body   which processes personal data on behalf of the controller”

Read in detail about GDPR’s stance on data in the cloud

The GDPR is also quite clear on its views on data protection and backup:

“The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of personal data.”

Not to forget GDPR’s stance in case of a data outage –

“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”

What is not evident from the above is that while the GDPR stipulates that both the Controller and Processor shall implement measures, it holds the Controller much more accountable for any data breaches or losses than it does the Processor.

In short, if you haven’t thought of protecting data in SaaS applications simply because you’ve thought they’re safe in the cloud, think again.  Invest in a cloud-to-cloud backup solution that supports your SaaS.

While the cloud does liberate IT administrators from a number of mundane tasks, it doesn’t really let you transfer accountability around things like data security and data protection.

At the end of the day, it is still your data – even if it isn’t your infrastructure.

As the FSFE (Free Software Foundation Europe) puts it nicely: “There is no cloud, just other people’s computers.”

It’s your data. It’s your data security responsibility Take control of it.