Back to news & views

Moving to the cloud? There’s no silver lining protecting your data

Most organisations are investigating whether they can use the undeniable benefits of cloud services to help their business run more cheaply, faster and more efficiently. Without a clear understanding of the implications for your data, however, you could be exposing your organisation to serious security, compliance, financial and reputational risks.

Globally only 45 per cent of organizations are confident in their security, according to the Cisco 2016 Annual Security Report. With ever-more sophisticated hacking attempts, trusting your data to a cloud provider without appropriate assurance and testing bypasses all your internal investment in enterprise security.

In the past, you could rely on your own layered security model and firewalls to protect your data. With cloud services, you usually have only your contractual agreement with the service provider. Typically, contracts will include assertions as to security, but not provisions that allow you to verify (e.g. by way of penetration tests) that your data is appropriately secured or that the service provider has appropriately vetted people with access to your data. They also may not adequately cover financial penalties if your data are compromised,   allowing you a level of redress if you are financially exposed.

Take for example TalkTalk’s recent leak of 157,000 customers’ credit card details. Soon after the event a few employees from the firm managing their call centre in Kolkata (Calcutta) were arrested over security issues although no proven link was made to the data leak. Whether or not the individuals concerned were involved there were clearly important issues surrounding their outsourced security model.  For every TalkTalk that hits the papers there are several less well-known instances where firms suffer similar data losses.

When outsourcing IT services to a third party cloud provider, you should therefore ensure that they negotiate a robust contract that covers the sort of things mentioned in the (admirable) Information Commissioner’s Office (ICO) Guidance for Outsourcing (

Good data security isn’t just about technical considerations. It spans a range of disciplines including operations processes, infrastructure, networks, development methodologies and end user behaviour. Checking that there are as few holes in your end-to-end service as in your firewalls needs a carefully considered and risk-based approach.

Though this may seem like common sense, many cloud transition projects often fail to perform data security assurance to the appropriate level. In many ways, your data, and the trust of your customers, is your business. Practical steps that can help to minimise the risk of cloud data security breaches include:

  • Identifying and classifying sensitive data (preferably using a standard approach)
  • Describing the key risks associated with the sensitive data identified
  • Construct scenarios addressing the identified risks and demand proof of compliance, and the ability to verify this proof, from the outsourcer.

The above argument should not be taken to mean that security is better by definition with traditional solutions compared to cloud solutions.  We heard an interesting unconfirmed story of a bank that experienced resistance to cloud solutions on security grounds.  According to the story, as a test, an application was cloned in the cloud.  A firm specialising in performing penetration tests was then challenged to hack the original application and the cloud-based clone simultaneously.  The original version was hacked quickly and the cloud version remained impregnable.  The cloud project then gathered speed.  So we are not saying “don’t do it”.  We are saying “if there is a business case, do it – but do it carefully”.

In summary, whilst you can outsource the processing of your data quite easily, it’s possible but harder to outsource responsibility for keeping that data secure on behalf of your customers.