By Gail Coury, Chief Information Security Officer, Oracle Cloud
Organizations around the world are ramping up to comply with the European Union’s General Data Protection Regulation (GDPR), which will be enforced beginning on May 25, 2018, and each must have the right people, processes and technology in place to comply or else potentially face litigation and heavy fines. The drive for more regulations is in large part the direct consequence of the rise in data breaches and cyber security incidents. In an effort to protect data privacy, governments are stepping in and demanding greater transparency in how organizations handle sensitive personal data. GDPR is just one such privacy mandate that will affect organizations globally and impact the lifeblood of their operations. Many have spent countless hours already preparing for the deadline, while others are just getting started.
Organizations are rapidly embracing cloud services to gain agility and thrive in today’s digital economy. This has created a strategic imperative to better manage cybersecurity risk and ensure compliance while keeping pace at scale as firms move critical apps to the cloud. According to the Oracle and KPMG Cloud Threat Report, 2018, 87 percent of organizations have a cloud-first orientation.
The conventional mindset—that security is an obstacle to cloud adoption—is rapidly losing relevance. Enterprises in highly regulated industries are becoming more confident putting sensitive data in the cloud. Ninety percent of organizations say that more than half of their cloud data is sensitive information, according to the same report. Although customers are confident in their cloud service provider’s (CSP) security, they should vet their cybersecurity programs vigorously, and conduct a comprehensive review assessment of their security and compliance posture. Trust has always been important in business and paramount when choosing a cloud partner.
GDPR is top of mind for a lot of organizations because it’s a people, process and technology challenge and requires a coordinated strategy that incorporates different organizational entities versus a single technology solution. It is a complicated law and introduces intricate new regulations and requirements for handling personal data. In fact, 95 percent of firms affected by GDPR say that the regulation will impact their cloud strategies and CSP choices, based on findings published by Oracle and KPMG. One of the central considerations would be movement of sensitive data between CSP data centers. Organizations need to understand and clarify how their CSPs employ essential data protection controls and standards to meet GDPR requirements because every cloud platform and vendor has unique cybersecurity standards.
As you may know by now, cloud security and compliance is a shared responsibility, where the cloud provider and the tenant each have a role to play. Although it sounds relatively simple, customers are often not clear where their provider’s role ends and their obligations start, creating gaps. Knowing what security controls the vendor provides allows the business to take steps to secure their own cloud environment and ensure compliance. Almost every organization today has more than one regulation with which they need to comply and they increase the complexity with each cloud service they add. As organizations continue to lift and shift their apps to the cloud, they need to keep pace with scale and ensure security and compliance is maintained.
I am excited to explore these topics with other industry experts at the Cloud Compliance Zeitgeist panel on April 16 (12:50 p.m. – 1:35 p.m.), at the Cloud Security Alliance Summit at the RSA Conference 2018. Also, my colleague, Mary Ann Davidson, Oracle’s Chief Security Officer, will lead the panel Getting to Mission Critical with Cloud. You will hear directly from some large complex global enterprises about their journey to the cloud, cybersecurity challenges and their complex compliance mandates.
We look forward to seeing you there!