When it comes to enterprise cloud adoption, one critical risk area to understand is cloud data privacy. IT and security professionals need to evaluate the relative privacy risk of various cloud solutions in order to select the best option for their organizations. Evaluating a range of cloud data privacy risks associated with the adoption of enterprise clouds for CRM, ITSM and File Sharing is essential to the success of your enterprise cloud enablement.
Here are three important factors to consider as you assess the data privacy risks of enterprise cloud providers:
Key Cloud Data Privacy Factors
- Data ownership, retention and destruction
Verify your organization has control over the lifecycle of your cloud data, by asking these questions:
- Does your organization retain all data ownership or do you lose some ownership rights under the cloud providers contract in the event of a contract termination or the bankruptcy, merger or divestment of the cloud service you have selected?
- How long will your data remain in the cloud after business and legal timelines are satisfied?
- Does the provider have sound practices for deletion of data and destruction of any physical media?
- Does the provider backup your data to guard against data loss?
Remember, different data privacy regulations (Regional and National) specify different time periods for data retention, after which that data must be destroyed. Also, cloud providers may duplicate data as a part of their normal operations for disaster recovery and resiliency.
- Third-party access
Malicious attackers are not the only ones trying to access your data. Third parties such as law enforcement, national government’s intelligence agencies and litigants can request access to your data.
In addition, partners of the cloud provider may also get access to the cloud service, raising questions of data privacy. It’s important to understand which third-party partners work with your provider and the extent of their access to your data. Ask about the process your provider will follow when an external agent requests data. Do they require written assurances and can they determine that the source of the request is not fraudulent? Will the provider notify you of a data request when appropriate? Check that your compliance status is not risk as well. Certain regulations, like HIPAA, have specific provisions governing the activities and practices of third party service providers, known as Business Associates. Your business associates and their business associates will need to be shown as compliant in order to avoid issues.
- Data residency
Another key data privacy factor to consider is where, your data will reside because where it resides determines whose laws it is subject to—and some national or regional laws may conflict with those under which your company operates. For example employee data from one nation may be subject to privacy laws restricting where the data can be stored. Some providers may not be completely transparent with data residency related details and legal uncertainties like the ongoing court battle between the United States government and Microsoft over data housed in Ireland is a perfect illustration of the conflicts and complexities of foreign data residency. Problem is, when you’re looking at top-tier, enterprise-grade cloud service providers, you’ll find that many of them operate data centers at points all around the globe. But, layered on top of these data centers are virtual infrastructures that move and replicate workloads and data that make it hard to track the location of data at all times. These interconnected data centers help to minimize latency and maximize coverage, but they may also create challenges around keeping your data private from prying eyes, whether those eyes belong to your government or another.
More and more enterprises are turning to technical controls like the tokenization and encryption of data in transit, at rest, and in use before sending data to the cloud. This approach can mitigate the worst risks of enterprise cloud adoption while maintaining regulatory compliance regardless of the geographic locations your data may flow to.
These are just three of the many factors that enterprises must consider when assessing the relative risk of any cloud application or moving to the cloud. To learn about the other factors that go into a reliable risk score, download CipherCloud’s “Cloud Adoption and Risk Report: North American and European Trends,” today.