Enterprise Data Protection

CloudSec: Cloud not the magical bullet for GDPR compliance

Companies shouldn’t simply assume moving to the Cloud will solve any worries around complying with the incoming General Data Protection Regulation (GDPR) requirements.

During the CloudSec event in London this week, several speakers warned that there are mulitple factors to consider when using the Cloud and how it affects your compliance (or lack thereof).

It would be easier if every company were paper-based and kept everything in a filing cabinet, joked UKCloud’s John Goodwin, as that way it would be easy to know exactly where all your customer data would be. However, in today’s complicated technology landscape, customer data can be in known repositories, emails, Dropbox and Salesforce accounts, backups, mirrors, archives, plus distributed across numerous Cloud locations.

He advised that companies need to do their research in order to not only be able to ask the right questions of their Cloud providers – where data is held, how it’s processed and by whom etc - but also understand the answers.

And while Stewart Room, a partner at PwC, predicted that there won’t be any ‘mega fines’ in the first few months of the GDPR enforcement date, it would be a “mistake to drop your guard just because you don’t see any action [being taken by regulators]”.

He also warned that there is “zero tolerance” for companies that simply claim they are a victim of cybercrime after a hack, but must be seen to being proactive in their risk posture.

Recent examples of Cloud SNAFUs, explained OWASP’s London Chapter Leader Sam Stepanyan, were data leaks caused by misconfigured Amazon S3 Buckets. Verizon and the WWE foundation exposed the data of millions of customers after badly configured access controls meant the data was openly searchable online. Stepanyan said the problem was also present on Microsoft Azure’s Blobs. The issue is so common that Amazon recently launched a service called Macie which identifies potentially sensitive information and where it is stored and accessed.

While he was talking about Cloud security in general and highlights the importance of the shared security model, Ian McCormack of the National Cyber Security Centre emphasised that “those responsible for the delivery of a service remain accountable for the security of that service.”

Very few people are interested in reading the full terms and conditions of their Cloud providers, argues David King, Technical Director at Secon Cyber Security, and simply assume everything is OK and covered.

Stuart Aston, National Security Officer, Microsoft UK, called on Cloud providers to be open and honest in both how they handle data requests for that information.

“Suppliers should be transparent about what controls they have in place. Suppliers should be particularly transparent about under what circumstances they will access customer data.”

And there here are many questions still remain unanswered or untested. For example, whether companies who use the Cloud will be able to shift any blame onto providers such as AWS remains unclear.


Also Read:

Everything you need to know about… GDPR

GDPR – 365 days to go

What we know, and don’t know, about GDPR

GDPR may leave some burned

From insular US firms to spammy marketers: Who will GDPR hit the hardest?

UK needs to align with GDPR, even post-Brexit

Brexit means GDPR and unhindered data flows

Is the EU-decreed DPO the next big IT role?

GDPR: The World needs “at least” 75,000 DPOs

G(in)DPR: Five gins to drink with these GDPR white papers


« Six ways Chinese Huawei is advancing its enterprise cloud plans on Europe


What is the role of Crowdfunding platforms today? »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?