Exactly who is responsible for protecting your cloud data?

Answer: (A) You, (B) your technology partner, or (C) your cloud service provider? Or someone else altogether?

It’s not unusual for businesses who have moved to the cloud to pat themselves on the back and say, “Job well done; our data is now safe. Phew.”

Unfortunately, that’s not true. Just ask Facebook who had the personal data of over 530 million users stolen back in 2019. Or Alibaba who had more than 1.1 billion pieces of user data impacted after an attack in 2019. And LinkedIn, who had 700 million member profiles scraped from the cloud and shared on a dark web forum.

But who is responsible for the safety of your data once it’s in the cloud? The bad news is that it’s not the job of your cloud service provider (CSP) to secure your cloud-hosted data from attack. Even the most robust CSP can’t overcome human errors that originate at your end.

Let’s take a closer look.

If you are on a public cloud like Microsoft Azure or Amazon Web Services (AWS), then they own the infrastructure, physical network, and hypervisor (a program used to run and manage one or more virtual machines on a computer). And they’re responsible for securing them. Imagine they are your landlord and maintain the property, as well as provide burglar alarms and sprinklers. However, as the tenant, you still own the workload operating system, the apps, the virtual network, and access to your tenant environment/account - and the data. You’re liable for safeguarding your belongings, locking the front door when you leave, and not handing out access keys willy-nilly.

Likewise, if you’re a SaaS customer, then your vendor is primarily responsible for their platform - including its physical, infrastructure and application security. What they don’t own, though, is your data. And they’re most definitely not responsible for how you use (or even abuse) your applications. It’s your role to prevent or reduce the risk of data breaches through malware insertion, accidental exposure, or exfiltration (aka data extrusion, data exportation, or data theft).

Of course, if you host all of your own software applications on-premises, then all security issues and responsibilities are your own.  

All of this isn’t helpful if you are feeling insecure about your data in the cloud. What is helpful, though, is looking at protecting your data (and applications) as a team effort. If you apply all of the same security measures to the cloud that you enforced with your pre-cloud infrastructure, you are off to a good start.

As a team, you need to determine who controls each component of the cloud infrastructure, as this will vary by cloud model (e.g., SaaS, PaaS, IaaS, etc.). It’s worth making a list – from data to devices to data centres and working through it carefully – so you know where responsibility is shared or falls entirely in your court.

So, the answer to the initial question about who is responsible for the safety of your data in the cloud is? Yes, it’s (D), everybody, all the time.

Back to The Bottom Line

2023 June
  1. Home
  3. 2023 June
  4. The CDO