Companies embracing cloud-computing solutions must make sure they don't take their ability to recover data for granted, a leading security consultant has warned.
Recovery has proved to be a sticking point for more than one organisation that trusted a cloud service provider (CSP) with its data, BRM Holdich director of information security and IT assurance Jo Stewart-Rattray told more than 120 attendees at the recent CSO Perspectives Roadshow.
Stewart-Rattray, who has consulted with a range of organisations on the security implications of their move to the cloud, recalled one organisation that had been trying to get its CSP to facilitate a data restoration for six weeks – unsuccessfully. The reason: restoration and service level agreements had not been explicitly addressed in their contract, which left the customer in limbo when it came to effecting such a restoration.
"I can't tell you the number of times I've heard people saying 'well, they're a CSP, so of course there will be backup and recovery'," Rattray-Stewart said. "You mustn't ever assume that. You need to make sure it's included in your Head of Agreement. Contracts aren't the be all and end all – but you have to get it right, because then you should be able to put it away and not worry about it unless there is an issue."
Another potential risk that is often not addresses is the potential for CSPs to go out of business or be acquired – potentially leaving the customer's data in a compromised position. One of Rattray-Stewart's clients found itself chasing its data around the world after its CSP was sold – not once but three times – and its data ended up in a developing country in "an area that had geopolitical issues," she said.
"When they went back to their HoA, they realised they were locked into this. The way the contracts had been written, it meant they would go with any move that there was. This is another thing to be aware of when looking at the cloud: have you lost control of your data because it's going places you don't know, or don't want it to be? It is necessary to have assurance from the CSP that the security of your information is adequate."
Those were only a few of the issues that cloud contracts need to address: privacy controls, in particular, are becoming especially important given the looming introduction of 13 new and stricter Australian Privacy Principles in March 2014.
Another issue comes when considering how to ensure that data, when removed from a CSP's systems, does not persist on those systems. To avoid this, she said, contracts must be explicit on issues of data ownership and protection of intellectual property interests; left ignored, some customers may find their data subject to data-squatting policies that suggest that ownership of data vests with the CSP once it's been on their systems for a particular period of time.
"You need to ensure there's no loophole, and that you don't lose a copy of your data somewhere," she explained, "and if you think you own something you don't want to have to pay a lot of money to get it back."
Yet another client she had worked with – a provider of prudential services – found that its HR organisation had used a credit card to purchase cloud services, then load employees' sensitive data into the cloud system. That data, however, was being stored offshore in a jurisdiction with different privacy laws.
"HR had no idea what protections were in place around that information," Stewart-Rattray said. "They had just assumed it would be encrypted, and that because it was a Safe Harbour destination, they would be safe. There was such a hole in their due diligence and governance process that nobody in IT asked any questions, and it certainly didn't go to the CISO for a look-see."
This sort of incident highlighted the dangers inherent in rushing to the cloud without the involvement of risk-aware executives and the caution that would be attached to other types of IT and business investments.
"It goes without saying that organisations are ultimately responsible for the protection of their information regardless of where it might be stored," Stewart-Rattray said. "And if that's in the cloud, nothing changes."