The Coming Storm
On April 28th, 2021 the European Data Protection Board announced that The Portuguese Data Protection Authority (CNPD) ordered INE (National Institute for Statistics) to suspend the sending of personal data from the Census 2021 to the United States. CNPD has issued a decision addressed to INE for the suspension within 12 hours of any international transfer of personal data to the United States or other third countries without an adequate level of protection in the context of Census 2021 questionnaire.
If this were your organization, would it be able to weather this storm?
The Fair Weather Cloud
Most organizations have been using cloud services for some time. This has been what could be called “fair weather” use. Where the impact of service failures has been limited. This is revealed by various studies that show only a small proportion of business-critical workloads have been moved to cloud services.
However, the COVID pandemic has accelerated Digital Transformation and cloud usage. This is making organizations much more dependent upon their IT services and the impact of failure has become much higher.
What is needed is a “Cloud for all Seasons” which organizations can exploit today’s complex IT environment to obtain the benefits that cloud services can bring in a secure and compliant manner.
The common business risks from the use of cloud services can be summarized as:
- Loss of business continuity – from individual element failures as well as cyber-attacks such as ransomware and denial of service.
- Data breaches – loss, leakage, or unauthorized access to the applications or data stored or processed within the cloud service.
- Compliance- results in failure to comply with obligation imposed by laws or regulations.
These arise because the existing internal security and compliance controls do not take account of cloud use. Furthermore, there is often confusion resulting from the way responsibility is shared between the CSP (Cloud Service Provider) and the cloud tenant.
Inconsistent Governance
Many business-critical applications now depend upon multiple services from multiple providers. The service levels must be set by business needs - but mapping multiple SLAs is difficult.
In addition, each cloud service provides their own disparate management capabilities and tools. This imposes an extra management burden for each cloud service.
When IT services are delivered on premises the security and management capabilities are chosen by the organization. For cloud services most of the tools and capabilities are specific to the service.
You may also need additional tools such as SASE (Secure Access Service Edge), CASB (Cloud Access Security Brokers) and CSPM (Cloud Security Posture Management).
This all leads to a costly and inefficient ad hoc approach to security and management.
Organizations need consistent approach to governance across the delivery models.
Zero Trust Cloud
Can you trust your cloud to protect your data? The Schrems II judgment in July 2020 found that there is a risk because governments are able to override contracts to seize data held in outsourced IT services.
Contracts, Supplementary Contractual Clauses and Binding Corporate Rules are not sufficient protection. According to the EDPB organizations need to take supplementary technical measures to protect their where it is transferred to a Third Country.
While this judgment applied to personal data – is your business-critical data safe?
Organizations need to take a Zero Trust approach to cloud services – never trust always protect your data. Confidential computing provides the technology to help with this.
Cloud for All Seasons
Organizations need their cloud usage to be storm proof. This involves not only how you choose the cloud service but also how you govern all of your IT services – however they are delivered. It also requires adoption of common frameworks as well as transparency on the part of the cloud service providers
For more details on this subject attend our KCLive Cloud Strategy Optimization event on July 7th.
During the live event, we will discuss the future workplace trends such as De-Materialization & Anywhere Computing, Workplace-Consumerization, KyE (Know Your Employee), How to Balance Zero Trust requirements with easy access and more.