CloudSec: Cloud not the magical bullet for GDPR compliance
Enterprise Data Protection

CloudSec: Cloud not the magical bullet for GDPR compliance

Companies shouldn’t simply assume moving to the Cloud will solve any worries around complying with the incoming General Data Protection Regulation (GDPR) requirements.

During the CloudSec event in London this week, several speakers warned that there are mulitple factors to consider when using the Cloud and how it affects your compliance (or lack thereof).

It would be easier if every company were paper-based and kept everything in a filing cabinet, joked UKCloud’s John Goodwin, as that way it would be easy to know exactly where all your customer data would be. However, in today’s complicated technology landscape, customer data can be in known repositories, emails, Dropbox and Salesforce accounts, backups, mirrors, archives, plus distributed across numerous Cloud locations.

He advised that companies need to do their research in order to not only be able to ask the right questions of their Cloud providers – where data is held, how it’s processed and by whom etc - but also understand the answers.

And while Stewart Room, a partner at PwC, predicted that there won’t be any ‘mega fines’ in the first few months of the GDPR enforcement date, it would be a “mistake to drop your guard just because you don’t see any action [being taken by regulators]”.

He also warned that there is “zero tolerance” for companies that simply claim they are a victim of cybercrime after a hack, but must be seen to being proactive in their risk posture.

Recent examples of Cloud SNAFUs, explained OWASP’s London Chapter Leader Sam Stepanyan, were data leaks caused by misconfigured Amazon S3 Buckets. Verizon and the WWE foundation exposed the data of millions of customers after badly configured access controls meant the data was openly searchable online. Stepanyan said the problem was also present on Microsoft Azure’s Blobs. The issue is so common that Amazon recently launched a service called Macie which identifies potentially sensitive information and where it is stored and accessed.

While he was talking about Cloud security in general and highlights the importance of the shared security model, Ian McCormack of the National Cyber Security Centre emphasised that “those responsible for the delivery of a service remain accountable for the security of that service.”

Very few people are interested in reading the full terms and conditions of their Cloud providers, argues David King, Technical Director at Secon Cyber Security, and simply assume everything is OK and covered.

Stuart Aston, National Security Officer, Microsoft UK, called on Cloud providers to be open and honest in both how they handle data requests for that information.

“Suppliers should be transparent about what controls they have in place. Suppliers should be particularly transparent about under what circumstances they will access customer data.”

And there here are many questions still remain unanswered or untested. For example, whether companies who use the Cloud will be able to shift any blame onto providers such as AWS remains unclear.

 

Also Read:

Everything you need to know about… GDPR

GDPR – 365 days to go

What we know, and don’t know, about GDPR

GDPR may leave some burned

From insular US firms to spammy marketers: Who will GDPR hit the hardest?

UK needs to align with GDPR, even post-Brexit

Brexit means GDPR and unhindered data flows

Is the EU-decreed DPO the next big IT role?

GDPR: The World needs “at least” 75,000 DPOs

G(in)DPR: Five gins to drink with these GDPR white papers

PREVIOUS ARTICLE

«A peek into the stealing habits of cybercriminals

NEXT ARTICLE

Six ways Chinese Huawei is advancing its enterprise cloud plans on Europe»
author_image
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Will Kotlin overtake Java as the most popular Android programming language in 2018?