John Leonard| Computing
Big data needs the cloud. There is a significant commercial pressure for organisations to store and process more and more data as the demand for analytics grows, and it is becoming increasingly impractical or uneconomic to store or process all of this data in-house.
As a result, the following maxim has been widely adopted among cloud customers with respect to sensitive data and applications: “If in doubt, keep it out”.
But this will no longer do. In an increasingly cloud-reliant world, customers – and providers too – need to have an informed view of risk, policy, governance, and above all a workable strategy for remediation. The financial risk of data loss or security breach in the cloud is currently mitigated through reliance on SLAs or contractual indemnity. The former is fiscally ineffective and the latter requires legal intervention.
Ultimately, if risks, liabilities and compensation were more transparent the nature of the industry would change. Instead of using the services of one or two providers, customers would be able to select from a seamless range of different clouds depending on need, with prices reflecting the sensitivity of the data, quality of service guarantees and compensation available in the event of a mishap.
What is needed is an arrangement that not only transfers the risk away from the customer, but also protects the cloud provider against damaging litigation.
Quantifying risk
Step forward the nascent cloud insurance industry. By enabling cloud organisations to offset the risk of lengthy downtime or data losses to an insurer instead of the end user (which is effectively what happens now), and by giving the customer somewhere to turn for compensation in the event of a loss, insurance has the potential to change the way that the cloud operates.
“I think this is absolutely the right way to be going,” said Raj Samani, EMEA CTO for McAfee and strategy adviser for the Cloud Security Alliance.
“If you take security and privacy seriously then your premiums should be lower. I think companies should be considering things like insurance, but it’s a very immature industry.”
Indeed it is. John Newton, chairman and CTO of enterprise content platform provider Alfresco, is one of many who doubt it can even be done outside of a few niche scenarios.
“IT doesn’t like handling sensitive data, but it has to. But I’m not sure insurance really solves this problem. I think it’s a set of policies and controls in place and a level of public and private access that will provide the solutions,” he said.
“To quantify the risk associated with information in the cloud is very difficult. There are varying degrees of risk depending on the data. HR information is OK [in the public cloud], contracts probably not,” Newton added.
“It’s easy to measure availability, but how do you prove confidentiality? How do you evaluate the riskiness of a company?” asked Samani.
These are not insignificant hurdles. Consider too the scenario where a third party application hosted in the cloud causes a security breach or loss of data. Given the lack of transparency in the cloud, how would discovery take place to determine whether the fault lies with the cloud provider or the application owner? And what if a customer breaks regulations by putting sensitive data in the wrong place?
