From social media, through streaming music and videos to online shopping, technology has become an indispensable part of our lives – all made possible by cloud technologies. The “cloud” is a computing model provided by Cloud Service Providers (CSPs) that allows organisations convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or CSP interaction. A simple analogy for cloud computing would be renting a hotel room. But in the same way your security and privacy are impacted when stay in a hotel, so does that of your data when it resides in the cloud.
There is an increased appetite with organisations to adopt cloud services to reduce costs and increase efficiencies in operations. Cloud spending is rapidly increasing, with Gartner predicting that by 2020 the cloud market will be worth $383.3bn1, and they suggest that a corporate "no-cloud" policy will be as rare as a "no-internet" policy is today.
Individually, we are all adopters of Cloud services and we should understand how our personal data is being used and secured. For organisations using Cloud services, the worries and risks are multiplied. So what should they consider before using a Cloud service? Some starters:
It is important to understand with whom compliance responsibility lies when using Cloud services. And it varies depending on the service and the CSP. What is clear, though, is that the more Cloud you adopt, the more you lose control. So the challenge, in my opinion, becomes one of understanding the risks and implementing the controls needed to manage them.
As the market matures, so have user expectations in regards to managing risks, especially in light of GDPR and recent high-profile security breaches (see our report “Cloud Hopper on Managed Service Providers”, for an example). There are growing expectations on CSPs to demonstrate a robust control environment. This leads to the frequently asked question: what options do we have to manage compliance in a cloud environment?
There are a variety of certifications and reports that can provide assurances to better understand how data is managed and secured by CSPs. To understand which you need, consider an important question: how are you using Cloud services?
If the answer is anything related to financial data or impacts your corporate financial reporting, you will need to ask your CSP for a Service Organisation Control (SOC) 1 (or equivalent) report. SOC 1 addresses how changes to the application, security within the application and general upkeep of the application are managed or administered or controlled.
For non-financial data, such as HR, then a SOC2 report. SOC 2 assessment consists of the Trust Service Principles (TSP) framework from American Institute of Certified Public Accountants (AICPA) for evaluating a service organization's internal controls against the prescribed set of Common Criteria found in the TSPs. SOC 2 assessments cover a wide range of controls such as operational, technical and information security controls. This is based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems.
Ultimately, in the same way that staying in a hotel impacts your security and privacy, putting your data into the Cloud should change your perspective on how to manage such risks.
1 Source: Gartner February 2017 (www.gartner.com/newsroom)
Director, Stakeholder Assurance, PwC United Kingdom
Tel: +44 (0)7841 566415