How safe is your data in the Cloud?

This article is not targeted at those already immersed in the Cyber Security industry, but for those non-technical executives who have implemented, or who are considering implementing one or more Cloud-based solutions as a core enabler for their business. In summary, while you can outsource “the doing” to Cloud service providers, you cannot outsource your accountability.

Scott Morrison, June 2020:

“All levels of Australian government, critical infrastructure and the private sector are being targeted in a "sophisticated state-based" cyber-attack. 

"This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers, and operators of other critical infrastructure.”

The Lure of the Cloud

There is no doubt that the lure of these Cloud-based products is considerable. Promises of rapid low-cost templated Agile implementations and reduced total costs of ownership, flexibility to grow with your business, share experience with other similar organisations, improved usability and richness in functionality, reduced training and compliance requirements, no in-house IT overheads and no major expensive software upgrade projects; all for a fixed monthly fee, sounds to be an exceptional business case. And, in many cases, it can be. 

Types of Cloud offerings

I am heavily over-simplifying here, but for the purposes of considering the data privacy and protection security elements of Cloud Solutions the principal elements of the Cloud include:

• Public Cloud: is owned and managed by a third-party cloud service provider which you share with other users or companies. This possibly the most cost effective and, potentially, least secure of the options.

• Private cloud: implemented exclusively for use by a single business or organization. The infrastructure and services function on a private network. 

• Many other variants and combinations: Because of the vast range of Cloud products now available, there are many other offerings such as Hybrid (part public/part private), fully outsourced software and hardware as a service (SaaS & IaaS) and so on. 

The key point for this article is that, with a Cloud solution, an element (if not all) of your traditional IT functions are outsourced to third party providers and, potentially fourth and fifth party providers depending on the precise contractual and environmental arrangements in place to support your Solution.

Your Legal Obligations for Data Privacy and Protection

Key to any software implementation, it is important for all executive stakeholders to be aware of their obligations for data privacy and protection and to make sure that the implementation project completely and transparently addresses these obligations. Detailed information on the relevant legislation and these obligations can be found at Office of the Australian Information Commissioner https://www.oaic.gov.au/, and each State also has a raft of legislation and guidelines that need to be adhered to. 

Focusing on the security/data protection elements of these obligations the following areas need to be addressed:

• Accountability: While you may have outsourced “the doing” of IT tasks and services to Cloud providers, you cannot outsource your accountability. At the end of the day, your CEO or Department Head is responsible for any security or data protection breaches and will be held accountable by law for maintaining the appropriate required level of Data Privacy and Protection. 

How do they do that? Normally by ensuring that the CIO and appropriate IT team members proactively manage the organisation’s cyber security risks. This can become significantly more challenging if you have outsourced the control of the software and technical environments to external parties. 

• Data Accuracy: The obligations include, that if private data is to be maintained, it should be accurate. 

• Transparency: It is one thing to be accountable for data protection and privacy. However, the real acid-test for any executive contemplating Cloud solutions is “how do I satisfy myself that everything is as it should be?”. Any thoughts of “set and forget”, directly contradict the legal obligation to be proactive and transparently manage your data privacy and protection responsibilities. 

“Come the Royal Commission” for the public sector, or an external audit for the private sector, the key issue is “what objective quality evidence” is available to your organisation, either from the third-party Cloud provider, or independent advisors, that address these questions:

• Have data protection and privacy risks been proactively managed and is there hard evidence of this management regime? 
• Have your technical environment cyber security risks been actively addressed on an ongoing basis?
• Have regular independent reviews been carried out on such elements as the authorisation management of system access, data integrity, custom code, technical environments, system vulnerabilities?
• Have data breaches or potential data breaches been identified, reported and remediated? 
• Have you, for example, hired an advisory firm to see what of your organisation’s data can be found on the Dark Web? In some cases, this can be due to some well-intended employees who have used public data sharing sites to progress their work. In other cases, this could be due to something more sinister.
• Do your Cloud software and hardware providers provide you with regular reports and hard evidence of this transparent and proactive management of their environments; do they hold the appropriate industry certifications supported by independent auditors etc? 
• Where is the hardware that runs your Cloud solution and where are the support teams located? 

Early on in the Cloud story, customers were told that the location of Cloud hardware was an irrelevant question, but this was quickly put into perspective when one of the Cloud major server farms was found to be in Hong Kong. In more recent times, Australian organisations have insisted that the Cloud servers remain in Australia as part of their cyber-security risk strategy. However, often the support for these services at the operating system and database level is offshore which would appear to render this “safety measure” as being somewhat redundant.

More recently, with COVID19, off-shore support teams have been working from home which renders further security measures of highly secure workplaces (for example, in Bangalore) redundant. In essence, the security of your Cloud solution may come down to the efficacy of your Cloud provider’s VPN, and even then, only if there is no deliberate malicious intent or collusion offshore to breach your data security measures. 

In summary, if you have never heard of any potential or actual data privacy and protection issues with your Cloud provider, is that because everything is secure, or because the environments are not being proactively managed? Either way, you should have evidence available to you to be able to answer this question.

To meet the requirements of the Law, leaders of each organisation need to satisfy themselves that these matters have been transparently and deliberately worked through and that they are embedded within the organisation’s data privacy, protection and cyber security policies and processes.