Who is Responsible for Cloud Data Security?

“The Buck Stops Here”, said US President Truman. And he made it doubly clear by having that statement inscribed on a thirteen-inch sign on his White House Oval Office desk. But what would he have made of the cloud, where IT engineers, managers and employees can all upload data and trying to pin down one person in charge of data security is often a challenge, to say the least? The cloud is great news for organisations looking for reliable pay-as-you-go storage and processing power. However, lack of control over sensitive data being stored and processed there could be a problem waiting to happen. It could affect almost half of all cloud-using organisations, according to a report issued after the Infosecurity Europe 2014 conference. How can you answer this question?

One point of view is to dump responsibility in the lap of the cloud service provider. After all, to use a financial analogy, if you can’t trust a bank to keep your cash safe, who can you trust? However, this analogy soon breaks down. Mislaying cash in any sense is unfortunate. The more cash goes missing, the greater the loss. On the other hand, you only have to lose a small amount of critical information to do significant and perhaps fatal damage to your organisation. An account ID and a password, for example – or confidential information concerning a customer or a patient.

Back in 2012, New Zealand’s Privacy Commissioner, Marie Shroff, stated that cloud data was the user’s responsibility. This is a complete reversal of the point of view above. Others take a hybrid position, for example putting more of the onus for SaaS security on the provider and a little less on the provider (so more on the user) for IaaS. The safest, although the most labour-intensive solution may be to trust no-one and implement your own rigorous data security policies and protection. About 40 years after President Truman’s term of office, Andy Grove, CEO of Intel Corporation wrote his book entitled “Only the Paranoid Survive”. If you can’t identify your Truman of security, you might want to consider the “Grove approach” to your cloud data confidentiality.