The IT landscape is changing and businesses are moving from a client-server infrastructure toward a cloud self-service model, which have shown to be more flexible, scalable, cost effective than traditional in-house deployments.Looking at the security aspect, the mesures enforced to protect organisations assets within a traditional network infrastructure appear to be ineffective in ensuring confidentiality and integrity of the data once moved to the cloud.
The security controls implemented by cloud providers are often obscur, letting the subscriber assume they are adequate and sufficient. Well, they often are appropriate but while subscribing to a service, it is almost impossible to know how data and profiles are segregated within the application and between hosted customers. One of the major risks that companies incur, while sharing a cloud infrastructure/service/platform, is the risk of loss. The impact could be consequent for a business but, most of the time, incidents will occur unnoticed.
Some risks can of course be transferred by contracting assurances but you can never substract to your accountability.
While the physical infrastructure security, operating systems patch mangement and applications security is often the responsibility of the cloud service provider, data protection is always the responsibility of the service subscriber. The provider can never be taken accountable for your own data. Examining your third party contracts and service level agreements carefully, you will notice that data protection is never covered there.Some risks can of course be transferred by contracting assurances but you can never substract to your accountability.
In the case that neither the provider or the subscriber assumes the responsibility related to data loss risk, can the risk simply evaporate?
Quentin Authelet
Risk Consultant, KPMG
No comments:
Post a Comment