By Stephanie Bailey, Senior Director/Product Marketing, Perspecsys
Despite the clear benefits of the cloud, many enterprises still hesitate to fully adopt or capitalize on all the advantages. There are a few key reasons for hesitation, including the prevalence of data breaches and hacks in recent years, stricter data residency requirements across geographical boundaries and internal restrictions brought about by company policies or industry requirements – and consumers. Each of these causes for delaying full adoption of the cloud is a consideration that requires a deeper look into potential strategies to diminish or remove possible risk to the enterprise.
Rise in Breaches & Hacking
In recent years, reports of data breaches across all types of industries and company size seem to occur on a regular basis. A recent PwC survey found that the number of security incidents detected in 2014 was 42.8 million, equaling an annual increase of 48%, with an average cost of $2.8 million dollars [i]. Of course many breaches go undetected or unreported so that number along with financial losses could be much higher. It’s no wonder that these reports cause some organizations to slow down and reevaluate their move to the cloud.
All of this means enterprises must contend with two separate security issues – external and internal. The external security issue means dealing with the loss of control associated with sending sensitive or regulated data to a 3rd party cloud service provider (CSP) and having to trust that information is processed and stored in a secure and compliant way. The internal issue entails having to figure out how to properly establish and implement the proper security standards to protect data within the corporate firewall, especially focused on challenges such as the rising prevalence of “bring your own device” and mobile computing.
Geographic Residency Requirements
Cloud data privacy laws can vary greatly by country and region. Currently, the European Union, and Germany, in particular, has some of the strictest laws in the world – creating a more restrictive environment for enterprises. Various geographic data residency requirements prevent some enterprises from moving regulated data outside of the borders of the countries in which they operate. Maintaining strict security standards is an especially important issue for countries concerned with the collection of personally identifiable information (PII). Since a CSP may store data, including PII, in any number of data centers worldwide, this prohibits some enterprise from taking advantage of the cloud if they operate within some of these stricter geographic regions.
Internal & Industry Requirements
There are also data privacy concerns driven by internal management and/or defined by external industry guidelines. An enterprise’s list of internal security requirement is often evaluated against published industry standards to ensure that sensitive information is adequately protected. These standards may be legally required by industry, government or again, geographic region. Many industries depend on the collection of PII to conduct daily business operations, serve customers and process payments and receipts and therefore have strict regulations about how and where this data may be stored and shared.
Cloud data privacy issues are also a key concern for individual consumers using an organization’s or business’ cloud application. With the proliferation of the Internet and cloud computing more PII is being shared online, making individuals vulnerable to security risk. Increasingly, savvy individuals want to know that the information being put in the cloud is adequately protected and secured by the organization.
Finally, many B2B enterprises find that their business contracts have specific stipulations associated with how their business customer’s data needs to be treated – especially if it is going to be processed in cloud-based 3rd party systems as part of the contractual service being provided. These contractual relationships can have severe penalties associated with data exposure, so enterprises need to take special steps to mitigate against any security risks.
How to Address These 3 Reasons for Hesitations
There is little doubt that proliferation of business-improving cloud applications will continue to increase in the coming years and provide business advantages to those that adopt. The question becomes how enterprises hesitating now can reevaluate and begin adopting popular cloud applications while adhering to the security demands they must meet. One option enterprises have choose is to forgo public cloud applications and develop a private cloud – a costlier option with less access to leading innovations in most cases. But there are other strategies for adopting popular public cloud applications without forgoing security requirements. It begins with a well architected security plan that includes implementing a strategy such as cloud encryption or tokenization that can protect data before sending it off-site to any public cloud applications.
One emerging strategy is to implement solutions in a technology category known as Cloud Access Security Brokers (CASBs). With CASBs, organizations have a hosted or on-premise control point for all data as it moves to the cloud. Gartner recently published a report that discussed the growing use of CASB to enforce core security policies for data moving to the cloud – stating CASBs “will become an essential component of SaaS deployments by 2017”. [ii] Forrester’s recent Market Overview on Cloud Data Protection Solutions (CDP) went so far as to say, “CDP Solutions Are a Mandatory Security Control.”[iii] This is a fast-paced space that will have a high impact on cloud computing going forward – particularly for those enterprises currently hesitating to fully adopt the cloud now.