At Accenture we are refreshing our Cloud Security & Data Privacy point of view. It’s been 2 years since we talked more caution (less action) in public cloud computing.
Today, we are more optimistic and more realistic about the road ahead.
As a co-author of both here are some observations of what has changed the sentiment:
- We've moved away from a lot of the red-herring topics that can distract from the more significant issues
- Cloud providers have done a good job plowing the field and helping organization's get a good "feeling" about security and privacy - in particular the SaaS providers
- Cloud providers are now willing to change standard contracting and acknowledging that data owners remain responsible for the acts and omissions of their service providers.
- We are seeing a move away from a take or leave approach to security and compliance on the part of cloud provider offerings
Many companies will no doubt worry about theft, loss, or legal noncompliance if they put data in the public cloud. But waiting on the sidelines isn’t a good option, either. In the refreshed point of view we talk about five steps for crafting a strong cloud security strategy .. now.
One of those steps is to know to share responsibility and risk. Clarifying the roles of the data owner, cloud provider (and system integrator, if applicable) in delivering legally compliant solutions is crucial. From a legal perspective, there is no clear division of labor between the cloud provider, an application manager (or system integrator), and the data owner. The law only cares that certain things get done and makes the data owner responsible for causing them to be done—it does not care who actually does them.
Unfortunately, many data owners and cloud providers have misperceptions of their responsibilities that hinder the evolution of a secure and compliant cloud solution. That division of labor varies by the cloud service model. Some requirements will be in the span of the cloud providers’ control, others in the tenant’s control. For example, perhaps there is business continuity or disaster recovery capability that does not ship “standard”, but can be designed-in as a separate data center or a dedicated backup tape solution. The irony is that plenty of security and compliance capabilities exist today, but cloud providers have not considered how to use these capabilities to meet customer needs.
No comments:
Post a Comment