Top 5 Business Risks of Cloud Computing

cloud computing (1)

Cloud computing has a lot of business benefits, such as cost effective, flexible and a fast time to deploy. But there are also at least 5 major risks any business should try to mitigate  before using a ‘public’ cloud service.

Risk 1: Vendor Lock-In

Will your organization be able to migrate “cost & time effective” to another cloud service ?

Most cloud providers benefit intentionally or unintentionally from vendor lock inkeeping things proprietary as long as possible. Providers can also suddenly announce cost increase or be bought out by a larger company resulting in policy and or location changes.

Therefore your organization should define a clear exit strategy and include the ‘exit’ costs into the initial cost analysis.

Risk 2: Insecure of incomplete data deletion

Will your cloud provider be able to delete your data securely on your request ?erasure of data

Cloud providers store your data safely by making multiple copies. The data is stored on multiple disks that are shared with and reused for other customers. So they cannot simply shred the hard disks. A request to delete data, as with most operating systems, may also not result in true wiping of the data.

If a Cloud provider does not (securely) delete data before reassigning space, leaking personal or strict confidential data of your organization especially in case of multiple tenancies could represent a high risk.

Risk 3: Loss of governance

Is your business still in control over the availability, performance, data integrity, resolution times of incidents and problems  if the outsourced service is delivered by a Cloud provider?

Most cloud services have pre-defined service levels and do not offer negotiated Cloud Service Level Agreements. However to stay in control during Handshakecontract negotiation at least the following important criteria needs to be agreed: availability (e.g. 99.99% during work days), performance (e.g. maximum response times), portability of the data (e.g. ability to move data to another provider) and resolution times of incidents.

As a cloud consumer you need to be sufficiently in control of your IT systems. For more help click here.

Risk 4: Loss of control on your encrypted data

Who really owns your data if you as customer do not own the encryption key?

While a cloud provider may agree to keep the data confidential (i.e., they encryption keywon’t show it to anyone else) that promise does not prevent their own exploitation of the customer data e.g. to improve search results, to deliver ads or to mine data for their own purpose . Also, If the user encrypts the data, it’s more difficult for the cloud provider to deliver some cloud services (e.g. search).

However the fact that you are not in control of the keys to encrypt or decrypt your own data is a substantial risk that companies should try to avoid.

Risk 5: Insecure virtualization layer

How secure is the virtualization layer used by your Cloud provider?

Most cloud providers use virtualization– inside physical device virtual hypervisorsystems are built. This virtualization enables the provider  to use physical devices in a more economic way. However virtual firewall support that exists today is very limited and attackers learned how to compromise the virtualization layer to gain control of the operating systems on virtual machines.

A compromise like this could give attackers complete control of your data. Together with your Cloud provider, organizations should agree on measures to mitigate this major risk.

 

 

Building trust in the digital world: EU General Data Protection Regulation

Schermafbeelding 2015-12-25 om 19.25.36

Why?

Bruce Schneier – Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance.”[1] 

To protect rights of European individuals the EU has agreed on a new EU General Data Protection Regulation. European citizens will get a whole new set of rights:

This new EU regulation will assist companies in respecting information of the people they are working with. Organizations will be accountable to incorporate these rights into their daily business practices, if they are not already.

When?

Political agreement on the General Data Protection Ruling was reached on 15 December 2015. It will replace the existing Directive 95/46/EC. It should be formally adopted in 2016 and come into force in 2018.   The agreed text is here.

What?

The new ruling concerns personal data of all citizens of Europe and applies to organizations established in the Europe and also to organizations outside Europe that deal with data of  European citizens.

How?

Companies controlling and processing personal European data must not only comply but also be able to demonstrate they comply, e.g. through the use of policies and privacy impact assessments and compliance to new data security requirements including:

  • additional obligations for contracts
  • use of encryption,
  • back up and security testing

Organizations with more than 250 employees must also appoint a data protection officer.

Data  breaches must be reported to the Supervisory Authority within 72 hours as soon as a company becomes aware of a data breach. Potential impacted individuals also have to be notified.

The sanctions for breach of the General Data Protection Regulation are significant. Regulators can impose fines of up to 4% of total annual worldwide turnover or €20,000,000. This is regardless if you’re a Google or a 1-person consultancy, in both cases violating this law will hurt your business’ bottom line.

So don’t hesitate to prepare implementation, build your policy, start with assessments and protect the personal data in your company.

References

[1] “The Value of Privacy by Bruce Schneier”. Schneier.com. Retrieved 2015-02-09.

[2] The Trouble with European Data Protection Law, Bert-Jaap Koops, Tilburg University, TILT e.j.koops@uvt.nl

Continue reading