Protecting data in the cloud: Whose responsibility is it?

When the Covid-19 pandemic demanded flexibility from businesses, cloud services were quickly invested in to equip workers with tools for remote operations. And now, as hybrid working persists across the Middle East region, dependence on cloud technologies continues to grow.

However, moving to the cloud faster than anticipated, and enabling remote workforces to securely access data through various devices in multiple locations, hasn’t always been plain sailing.

In the course of a normal business day, organisations produce and share significant amounts of mission-critical and highly confidential data across a number of different systems. Research from Veritas found that the usage of cloud collaboration tools has increased by 20 per cent since the start of the pandemic, and 87 per cent of office workers in the UAE admitted to sharing sensitive, business-critical company data by using these instant messaging and collaboration tools.

It’s vital to ensure this data is secured. As organisations appoint cloud service providers (CSPs) to provide those all-important services to help keep their businesses running, whose responsibility is it to protect the data that flows through them?

A question of responsibility
Unfortunately, many business leaders still don’t know the answer to this question. When an organisation runs and manages its own IT infrastructure on premises, within its own data centre, it is responsible for the security of that infrastructure, as well as the applications and data that run on it. When an organisation moves to a public cloud computing model, it hands off some, but not all, of these IT security responsibilities to its cloud provider.

Yet, according to our research, there is still a lot of confusion around where cloud providers’ responsibilities end, and where businesses’ own responsibilities begin. Almost two-thirds (65 per cent) of the office workers surveyed in the UAE think data in the cloud is safer from ransomware because they assume their cloud providers are protecting it from malware they might accidentally introduce.

However, the majority of CSPs’ end-user licence agreements contain clauses that make the customer responsible for most data protection. This confusion over whose job it is to secure data means that, often, no one is doing it – allowing gaps in cloud-based data protection to widen. This is amplified with each additional CSP that is brought into the equation.

Yet, worryingly, over half of the senior IT decision makers surveyed in our Vulnerability Lag research confessed that they could not accurately state the number of cloud services they were now using. They also lacked clarity about the data they might need to protect, with the average respondent admitting that 38 per cent of the data their organisation was storing is ‘dark’ – that is to say, they don’t know what it is – and that a further 49 per cent is redundant, obsolete or trivial (ROT).

So, how can any organisation even begin to understand their responsibilities – and the gaps in these responsibilities – when they don’t know which cloud services they use, or what data is held and where?

Visibility is the key to protection
An important place to start is to check the finer detail of what is covered in the contracts that organisations have with each of their CSPs. This will help understand exactly where their responsibility for data protection lies. Another significant step is to gain a thorough understanding of the value and location of the data that needs to be protected.

Bringing security measures up to speed with cloud deployments is not an easy task, especially as many companies now have petabytes of data spread across dozens of hosted applications and cloud services. Getting that under control is unlikely to be achievable through manual processes.

Instead, organisations should consider modernising their data protection strategy with autonomous data management solutions that work across multiple clouds. This can play a key role in freeing up skilled IT team members to work on transformation projects by allowing artificial intelligence (AI) and machine learning (ML) technologies to autonomously shoulder more of the burden of data protection.

Reducing the vulnerability lag is essential in helping organisations protect their most valuable digital assets against pervasive threats such ransomware, as well as ensuring compliance with data protection laws, such as the UAE Data Protection Law. And this doesn’t need to be a drain on resources.

The organisations that will be most successful are those that can view the challenge of data protection as an opportunity to reassess their security measures. By using single data protection platform that can secure data in increasingly heterogenous environments, while freeing up IT teams to focus on innovation and transformation, will help their organisations adapt and thrive, even in times of uncertainty.

Johnny Karam is the managing director and vice president of International Emerging region at Veritas Technologies

Read: Financial services companies may be vulnerable to ransomware for another two years