Security of data now ranks as a top concern when considering whether to move to the cloud for most financial services firms. This is perhaps even more so for insurers following the recent warning from Lloyd’s of London that a serious cyber-attack could cost the global economy more than £92bn – as much as a catastrophic natural disaster such as Hurricanes Katrina and Sandy.
While such an attack is at the extreme upper end of possible scenarios, typical concerns for all businesses when moving to the cloud will range from simply ensuring data is protected from unauthorised access, to concerns around regulatory requirements for the storage and retention of this data.
Regulatory control has always been a significant driver for governance and audit control and this is becoming even more significant with upcoming data protection changes such as the European Union’s General Data Protection Regulation (GDPR), which will have wide ranging impact both inside and out of the EU.
Once a decision has been made to utilise the cloud, then the next step is to make sure that the right processes and tools are implemented to ensure data is moved and controlled in the cloud in a suitable manner associated to its sensitivity. In this article, we will look at some suggestions for how to undertake this.
Data Classification and Protection
One of the key steps to being able to control your data in the cloud is know what type of data is present in the first place. Each application that moves to the cloud should be audited to determine what type of data it holds: confidential, personally Identifiable (PII), credit card or banking data etc. and what sort of compliance or sovereignty concerns there are around this data.
Once this is done, each application can be classified appropriately based on the data it holds. With these classifications in place, it is then possible to determine what controls need to be put in place to protect and manage that data when it moves to the cloud. Such controls can simply restrict user access rights to certain individuals, set encryption, define the location or even determine that this data cannot actually be moved to the cloud.
Taking this a step further, now you have the data classified you could look to implement data classification and rights management tools, like Microsoft’s Azure Information Protection, that will allow you to apply these classifications directly to the data and implement rules to protect and report on the state of this data, regardless of where the files end up.
Many clients have a requirement to keep data within a specific region or even country to meet regulatory requirements and – with regulation changes from GDPR and UK’s leaving of the EU on the way – this is going to become even more of a concern. Ensuring you know where your data lives is key to meeting this requirement when moving to the cloud.
It is important to confirm that your cloud provider allows you to select which region your data sits in and that it will stay within this region. This should cover not only your live data but any backup, replication or disaster recovery arrangements. Both Microsoft and AWS offer the ability to choose your desired region and only have data move between cloud services inside that region.
Where data sovereignty concerns go deeper, data may need to remain in a single country or even need to be stored by a provider based in that country. In this case, you can either look to more local providers, or look at larger providers who are offering single country or even “sovereign” regions, where they offer the same service but the data centre is run by a local company. An example of this being Microsoft’s German and Chinese operations.
By default, connectivity to cloud providers is over the internet, using a secured connection in most cases, but still over the public network. To retain greater control of how your data and users reaches your chosen cloud provider, you can implement some sort of direct connectivity between your corporate network and the cloud provider.
This could be as simple as a Virtual Private Network (VPN) connection to tunnel the data securely over the internet, or using more complex private connections like AWS Direct Connect. By undertaking this step, you can take control of how data and users are routed to and from the cloud.
This includes the ability to add controls (firewall, AV Scanning etc.) between your network and cloud, or between your cloud networks and the internet should you wish. This connectivity will also make it easier for your users to access cloud based resources and even treat them as part of your own network.
Encrypting your data during transit and at rest is one way to keep control over who can access and read that data, which is especially pertinent if the data is stolen. Most cloud providers provide a way to encrypt storage as part of the platform, but you should carefully consider their limitations.
Many platform-based solutions will protect you in the unlikely event physical storage is stolen from the cloud provider, but they will not protect against someone gaining access to your cloud storage and reading the data. Implementing custom encryption inside your applications and infrastructure, to which importantly you hold they keys, will provide additional protection on top of what your cloud provider offers.
Provide Access to Services
Once you have decided to implement cloud services and picked which cloud providers to use, it is important to start opening these cloud services to users as soon as possible and educate them on their use. As many IT managers are aware, if you don’t provide a solution then users will find a way to do what they need to do without your corporate IT controls in place.
As an example, if your users need a way to share sensitive files with customers, then implementing a cloud solution that is under your management and provides the right level of security and audit will keep you in control of the data. If you don’t offer this service, then users will start looking to third parties like Dropbox, OneDrive etc. where the data will be unmanaged. These principles apply to other business critical services as well, such as chat, office tools and workflow.
Moving to the cloud can be a big step with lots of concerns to be resolved, especially when it comes to moving data. Implementing governance, audit and process is key to being able to keep control and ensure you can keep track of where your data is, how it is being stored and accessed, and to prove this to customers and regulators. By considering these topics, you can start the process to understand and protect your data…and so keep control on this transition.