Massive cloud-based companies may be tweaking their data governance to minimise exposure to the EU general data protection regulation (GDPR), but surging use of public-cloud services for storing sensitive data reaffirms the importance of data audit and triage as the clock ticks towards GDPR’s May 25 implementation deadline.
Despite suggestions that many executives regret hasty cloud investments, revenues for public cloud providers will outpace expectations to grow 21.4 percent this year alone, according to recent Gartner modelling that suggested those revenues would be led by continuing growth in the software as a service (SaaS) market – which will, Gartner predicts, reach 45 percent of all application software spending by 2021.
“In many areas, SaaS has become the preferred delivery model,” Gartner research director Sid Nag said in a statement. “SaaS users are increasingly demanding more purpose-built offerings engineered to deliver specific business outcomes.”
One of those outcomes will be improved governance, particularly with GDPR set to come into effect worldwide just over three weeks from now. That legislation puts onerous restrictions on any organisation handling sensitive data about EU citizens – which should, if the results of a recent McAfee study are anything to go by, strike fear into the hearts of risk managers everywhere.
McAfee’s 2018 Cloud Security report flagged the growing need for compliance efforts – particularly pressing since all but 16 percent of the 1400 surveyed respondents admit that they store sensitive data in the cloud.
Australian companies were somewhat less likely to trust the public cloud with their sensitive data, with 20 percent saying they store no sensitive data in the cloud and just 21 percent storing all of it in the cloud.
US companies were the most enthusiastic users of cloud services for sensitive data – 33 percent said they did so – while German and UK companies were the most conservative, with 25 percent of respondents saying they stored no sensitive data in the cloud.
Some 61 percent of respondents said they kept personal customer information in cloud services, while 42 percent stored payment card information; 41 percent, internal documentation; 41 percent, personal staff information such as bank details; and 37 percent, government identification information.
McAfee’s analysis of its findings linked compliance investments with the looming requirements of GDPR, noting that organisations “that are more confident in the ability of their cloud providers are more likely to have plans to increase their overall cloud investments in the coming year, while those less confident plan to keep their investments at the current level.”
High-profile public cloud providers have been actively reworking their terms of service to minimise their GDPR exposure, with Facebook reassigning 1.5 billion users to a governing contract with entities in their non-European home countries. Other companies – including Twitter, Etsy and many others – have been notifying users of amended terms of service to reflect GDPR’s protections.
Legal semantics are out of the reach of most conventional companies, who have long been found wanting when it comes to being able to identify or protect their data.
To bolster confidence – and justify further extending cloud investments – businesses should look to DevOps, DevSecOps, a unified management platform and extensive automation via artificial intelligence and machine learning to ensure the quality assurance and security improvements necessary to trust sensitive data to the public cloud in the long term.
Developers of automated GDPR compliance tools report continuing upticks in interest as businesses recognise the need to automate their data discovery. Israeli firm MinerEye’s MinerEye Data Tracker, for example, uses a fusion of computer vision and machine learning “to track information at the byte and pixel level,” CEO and co-founder Yaniv Avidan said in a statement.
“With the emergence of GDPR and other compliance measures, organizations need full control and awareness of their data at all times in order to meet regulatory requirements,” said Malcolm Harkins, chief security and trust officer of Cylance, which has been testing Data Tracker as a data-level protection layer.
“MinerEye’s application of artificial intelligence and machine learning brings a fresh vision and approach to the complex fields of data governance and data protection, providing organizations with a scalable and comprehensive solution for tracking and protecting sensitive data.”
That type of automation will prove critical as organisations seek to apply data-scanning and data-management controls across their evolving cloud environments. There will also be opportunities for these capabilities to be provided on a SaaS basis by cloud providers themselves – but the industry, McAfee Cloud Security Business Unit senior vice president Rajiv Gupta recently told CSO Australia, needs to up its game even as businesses continue to increase their reliance on the cloud.
“Once I start to trust a service provider, I am trusting that they will prosecute their part of the responsibility – for servers, network infrastructure, power, and so on – well enough that I can focus on my part of the responsibility,” he said, noting that the inability to secure appropriate cloud-security skills was driving many businesses to slow down or defer their cloud rollouts.
“The cloud helps in taking away some of that low-level shared security responsibility – but you need a different security paradigm, in which the bookends of this new cybersecurity architecture are the device and the cloud. But this notion of open can take on a life of its own: if you have a number of systems, stitching them together becomes a challenge; the seams expose more problems than they solve.”