If someone you didn’t know asked you to willingly hand over the keys to your car or your house, would you do it? I’m guessing not. After all, the items belong to you and are of high value. That same pride of ownership should apply to your organization’s sensitive content. These days, keeping that information safe and sound should be part of every employee’s job.
While the role of data protection falls directly on the shoulders of IT, compliance officers also need to be actively involved in any decisions that impact data security.
Far too often, the keys to an enterprise’s data are handed over to a cloud provider by employees, who give full responsibility to a third party without a complete understanding of the risks and the rights of the third party. This shifts control of data protection to the cloud vendor – a huge risk, considering organizations remain responsible to meet regulatory requirements whether the information is stored within their company firewalls or with a third-party provider.
Here’s the problem: cloud services are multiplying by the minute. A report by SkyHigh Networks – a company that tracks the use of cloud services for corporate customers – found that organizations used an average of 759 cloud services in Q1 2014, a 21 percent increase over the previous quarter. But that’s not all. The same report revealed that of the total volume of cloud services used by all enterprises in Q1 – 3,571 – only 7 percent were “enterprise-ready,” meaning they met stringent requirements for data protection, identify verification, services security and legal protection. Not exactly music to a compliance officer’s ears.
You can’t stop the seemingly unstoppable growth of the cloud, but you can determine which cloud services are in sync with your high data security and compliance standards. I’m often asked to weigh in on the private and public cloud debate and about which environment is best. The answer really comes to control. How much control do you want to have over your data? Do you want to know who has access to your data and what information is being shared and with whom?
If the answer is, “I’m a control freak,” then a private cloud is probably the answer. With a private cloud, you get a dedicated and isolated infrastructure, operated solely for your organization. You provide your own SLAs and terms of service, created to meet your compliance needs. You know where your data is stored and you know that confidential information is not co-residing with data from competitors. The bottom line: the data is controlled and owned by you.
With the public cloud, you’re left wondering where exactly your information is being housed and who can see it. This is a bit like playing roulette – taking a spin and hoping for the best. Since multiple parties’ data may exist on a single platform in a location out of your control, you create a possible channel for data leaks and make difficult to comply with regulations. Plus, you lack visibility into the vendor’s security controls, leaving you to wonder: if something goes wrong, will I even know?
Placing your bets on the public cloud doesn’t always deliver the best outcome. Case in point: the NSA situation. As I discussed in my previous article, “Corporate Governance in the Era of the NSA,” it comes down to knowing who is monitoring your data, when it is accessed and who is in control.
There’s a reason that 80 percent of our customers choose to deploy our solutions within a private cloud environment: because they want to call the shots. Wondering which cloud path is right for you? Let your compliance, security and control requirements lead the way and you’ll follow the road that lets you keep your data right where it belongs – with you. So go ahead and embrace your inner control freak.