Managing cloud risk in the era of GDPR

clock • 3 min read

Regulation - and not just the GDPR - will soon add an extra dimension to organisations' security planning

New threats arise every day, from new malware, newly discovered security flaws, new exploits and new attackers. Businesses have no control over this landscape but they do have control over their networks and systems. If risk scores are calculated using features such as threat, vulnerability and impact then organisations must focus on all vulnerabilities, both technical and human.

The lack of control around cloud systems has always been a cause for concern. It's not that cloud computing is less secure, but that IT is much less able to focus on the vulnerabilities, which makes security-minded individuals - who instinctively dislike the notion of trusting third parties - uncomfortable.

Security was traditionally a barrier to cloud services and it remains a common barrier to overcome today. Recently, focus has turned to legislation. Namely, how can organisations be sure they are compliant with the GDPR?

This regulation will add another dimension to organisations' security planning: the possibility of huge penalties for non-compliance.

On top of this, there are big questions over the extent of organisations' responsibility for personal data and to their applications running in the cloud - even where third parties are supposed to be responsible for security.

With the GDPR arriving in May 2018, with complete compliance expected from day one, there is not much time left to prepare.

There are other issues coming down the line too, adding to the urgency.

The first is Privacy Shield, the much debated replacement to the Safe Harbour agreement, which covered the transfer of personal data from the EU to the US until it was ruled unlawful by the European Court of Justice.

For many campaigners, Privacy Shield is little better than Safe Harbour and it is already coming under renewed legal attack. The same is true of alternative data transfer mechanisms, such as Model Clauses.

There is also the ePrivacy Regulation (applicable in the same form across the EU) that will cover telecoms and OTT or over-the-top services, which covers internet TV, voice-over-IP and video conferencing. And soon there may be new laws governing cookies (not a moment too soon) and further data protection legislation.

So, in addition to the cloud being somewhat opaque when it comes to managing risk, organisations face a tidal wave of complex, incoming regulations.

Clearly, they must make sure their risk management strategy is both robust enough and flexible enough to ride the waves. A key part in this risk management strategy is the choice of cloud service provider. How can the risks associated with cloud services be quantified?

There are various boxes that need to be ticked as a matter of course. Does the provider have ISO 27018 accreditation for protection of personally identifiable information (PII) in the cloud, for example? Where are the data centres located? Can it guarantee that data will be covered by appropriate controls, and that it is encrypted in motion and at rest? How are encryption keys handled? And does the provider have a plan in the event of the possible replacement of Privacy Shield?

In other words, will this provider supply a stable platform for your business over the next few years, and are they fully cognizant of all the regulation coming your way and theirs? 

Computing's IT Leaders' Forum on 28th February will focus on Getting Ready for the GDPR. 

This will examine the forthcoming legislation, and ask how IT leaders can apportion a risk score to their systems, particularly cloud services.

We will discuss the actions they can take to ensure their risk profile is commensurate to their risk appetite, and how to fix vulnerabilities when they are identified to ensure that risk remains as low as possible.

Attendence is free to qualifying CIOs, IT directors, IT managers and senior IT pros. To examine the agenda and to register, please check out Computing's IT Leaders Forum website.

You may also like
Data breach at French unemployment agency exposes 43 million people

Hacking

Hackers infiltrated the France Travail's IT systems

clock 15 March 2024 • 2 min read
'Like a stalker': Data broker LiveRamp reported to UK, French regulators

Legislation and Regulation

'This kind of opaque identity monitoring cannot be part of our future digital society'

clock 04 March 2024 • 3 min read
Regulation has made EU firms less data-hungry

Legislation and Regulation

GDPR has cut storage and processing

clock 21 February 2024 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

You need to lock down cyber-physical systems: Here's how and why

You need to lock down cyber-physical systems: Here's how and why

Cybersecurity should focus on OT as well as IT

Samara Lynn
clock 27 March 2024 • 3 min read
China Crisis: Government blames China for Electoral Commission cyberattack

China Crisis: Government blames China for Electoral Commission cyberattack

Also accuses Chinese state-affiliated actors of trying to hack MPs emails

Penny Horwood
clock 26 March 2024 • 5 min read
A cyber-focused attorney on why 'Data is the hot potato'

A cyber-focused attorney on why 'Data is the hot potato'

Shawn Tuma, partner and co-chair of the data privacy and cybersecurity practice group at Spencer Fane LLP, shares some tips on cybersecurity for companies to follow.

Samara Lynn
clock 26 March 2024 • 3 min read