Organizations play blame game over cloud data protection responsibility

A survey by Veritas Technologies last week revealed a startling stat about who organizations believe should be responsible or held accountable for data protection in the cloud. Out of 1,200 enterprises surveyed, 83% had the perception that data protection is the responsibility of their cloud service provider. In addition, 69% thought they could transfer all responsibility for data protection, privacy and compliance to the provider. Though this is a very concerning statistic, there is a hint of truth – but the reality is that organisations are the ‘owners’ of their data, so they are responsible for its security.

While cloud providers have a fiduciary mandate to keep data safe, the protection itself falls on the shoulders of those who own every last bit and byte. 

This is similar to the signs you see when parking your car in an urban parking lot: “Lock your car, hide your belongings, take your keys. Not responsible for lost or stolen items.” As with any property debate, the owner is chiefly liable for property protection and security…even when that property is amorphous like data.

Having the burden sitting squarely with the owner creates accountability, especially when we begin to use new technologies. Organizations are in a mad dash to use all new forms of storage and computing; they need to be aware of the security implications.

Is this such a surprise then?

Unfortunately, this is not news when it comes to perceived blame-sharing. Whether a person spills hot coffee on themselves or uses a power saw without protective eyewear, we tend to look around for someone else to blame. However, when it comes to enterprise security, we can do better. We can take responsibility for the decisions made to move to new cloud technologies and do so with an underlying security framework that travels with assets, irrespective of their location.

We do this with intelligent policy management. Think about it…all security efforts come down to the bedrock of policy: this is allowed, that is not. When you take a step into the world of intelligent policy management, you can curtail many of the risks associated with new forms of computing (cloud, SDN, virtual, etc). By generating the appropriate policy based on the needs of the specific asset in its specific context, you push aside the need for passing security onto the cloud provider.

You become the policy baron who is ready for any new method of data storage or shifting workloads. This effort can be automated and organisations pursuing intelligent policy automation open up to a new world. You want to put 25% of workloads in the cloud? Go for it, security policy will follow. You want to duplicate all databases from on-premise to cloud? Go for it, your security policy will wrap around it all…irrespective of location.  

It is a good sign that organizations are taking these steps. Interestingly enough, those will be the ones who succeed in our evolving world. Not because of policy as an end in itself, but because they can more securely adopt new technologies. This increases productivity, enhances revenue and drives down costs – all with the peace-of-mind that they’re doing so securely.