Data sovereignty is the biggest concern in cloud transition

With the GDPR enforcing geographic storage requirements, experts advise research before investment

Research conducted by Computing and presented in our most recent web seminar - ‘Cloud security: fresh concerns require new answers', now available to watch on-demand - revealed that most CIOs' public cloud concerns revolve around where their data is being held.

So-called data sovereignty is a big issue under the GDPR, which is commonly misunderstood to mean that European citizens' information to be kept inside the European Union. In fact data can exit the Union, but citizens whose data is taken out must be informed and allowed to opt out; it's a huge logistical challenge.

That presents a problem when it comes to the cloud, where it can be difficult to determine which data centre a data processor is using to store your company's records.

Peter Agathangelou, an independent IT contractor, said that this anxiety is already causing a shift in how companies are approaching the cloud:

"When people are going out and wanting to put something in the cloud, they are asking where the data centres are, where data will be held, and what guarantees they have that it won't be moved outside the EU without their knowledge. People are being more careful about their selection. [The GDPR is] making people do more of their homework before they invest in these solutions."

The ICO has still not released all of its GDPR guidance, and stakeholders need to refer directly to the ICO to "find that wiggle room", said Agathangelou.

The GDPR itself, and other new legislation, was just slightly behind data sovereignty in the list of CIOs' cloud concerns. Under the GDPR, both data owners (cloud customers) and data processors (cloud vendors) are liable in case of a data breach, and an audience member asked how much expectation there is to physically inspect data centres.

Colin O'Rourke, principal presales consultant for cyber security at Oracle, said that every cloud vendor should make changes in legislation like this absolutely clear, but customers must look out for themselves rather than relying on vendor assurances. Oracle offers penetration testing services to every client, as well as its DBSAT (Database Security Assessment Tool) product, which leverages AI and machine learning.

"It's incredible," said O'Rourke. "I've come from a background of database security. That's Oracle's bread and butter...and it's evolved into the cloud. Let's say you want to resolve a shadow IT problem - Oracle could listen to the network and determine where cloud services are being used. We can define white- and blacklists of allowed behaviour, can pull in threat intelligence through TOR… It all enables critical decision making."

Agathangelou agreed that cloud users must take responsibility and do their own research - especially where sensitive data is concerned:

"People need to understand what they're doing and the ramifications - then they can put measures in to protect themselves… There must be an improvement in planning when putting data into cloud and understanding what you're getting. I would always have questions ready to ask partners how security is handled, what standards are followed, how easy it is to get your data out when needed...

"You need to know what it does, and more importantly what it doesn't do," he added.