Pop quiz: Who's responsible for data protection compliance in the cloudy era? If you said 'dunno', you're not alone
Survey is thinly veiled marketing from Microsoft, but the issue is real
A new survey published by Microsoft shows the extent of confusion in businesses about how to comply with data protection regulations in the cloud era.
The Windows giant sponsored a survey by the Ponemon Institute, which approached 30,000 IT or infosec practitioners in the US and European Union, of whom just over 1,000 responded.
Ponemon asked respondents to identify who is most responsible for ensuring compliance in SaaS applications, such as Office 365 or G Suite, or PaaS resources, like Azure App Services or AWS Elastic Beanstalk. There was no consensus, with the biggest minority opinion being that the cloud provider has most responsibility in the case of SaaS (36 per cent) and the company in the case of PaaS (30 per cent). Other candidates were end users or security or privacy departments.
In the early days of cloud computing, there was often an assumption that cloud services are less secure than on-premises systems because inherently data in the cloud is to some extent out of your hands and guarded from public access only by the cloud provider. This assumption gradually gave way to the idea that since both on-premises and cloud provider systems are connected to the internet, and the cloud provider has more resources to invest in security, data may well be safer in the cloud. This is particularly the case for small businesses with few IT resources.
There are complications, though. Compliance with data regulations may require that it is stored in a certain territory, and putting data on systems owned by foreign corporations is an inherent legal risk. According to Ponemon's research, around a third of businesses have stopped or slowed adoption of cloud services because of privacy concerns – but 54 per cent believe that migration to the cloud will improve security and privacy.
There is high interest in the "Bring your own key" (BYOK) concept, where the customer controls keys used to encrypt cloud data. If revoked, even the cloud provider cannot read the data. According to the survey, 29 per cent have adopted BYOK in some measure, and 37 per cent plan to do within a year.
Use of two-factor authentication is also on the rise, with 73 per cent of respondents adopting it in some measure, or planning to soon.
A telling statistic, however, is that more than 50 per cent of respondents say they are "not confident" that the SaaS and PaaS applications they use meet privacy and data protection requirements. Only just over a third evaluate such concerns before proceeding.
Is it easier to comply with regulations like the EU's GDPR with cloud or on-premises systems? Here there is no consensus, though the figures slightly favour cloud.
Microsoft sponsored this survey for a good reason. Many of the recommendations it identifies involve spending more money if you are an Office 365 or Azure customer. BYOK for Office 365 requires an E5 subscription, which is a hefty £30.80 per month, or even more for Microsoft 365, which includes a Windows Enterprise licence and "Advanced compliance."
Why do businesses migrate to the cloud? According to Ponemon's survey, 42 per cent aim to "reduce cost", which is at odds with Microsoft's upsell effort.
We took a quick look at Microsoft's Compliance Score, which aims to help customer tick all the boxes. We found it optimistic, awarding us a 75 per cent score for a tenant that has completed only five of 280 "improvement actions". The reason for this is that Microsoft awards itself 100 per cent for its own contribution, so even if you operate a tenant that has, say, customer credit card details in full public view on a misconfigured Sharepoint site, you would still get a high score. It would make more sense to score only those practices and policies that are under the customer's control.
Compliance is a thorny and intricate problem and one that can potentially consume large amounts of effort and expense without any immediate reward.
Will chucking more money at a cloud provider magically solve compliance issues? We are sceptical. It will not protect you against user errors or misconfigured permissions, which are a common cause of data breaches. Basics like multi-factor authentication are available even in Microsoft's cheapest plans.
All the big cloud providers are keen to emphasise the work they have done to comply with regulations and standards. They have the scale and resources to do this well. That is a good thing and one from which customers can benefit. It does not remove the customer's responsibilities, though, and signing up for more services only makes sense in the context of an organisational policy in which they have value. Put another way, you can spend a lot and still screw up. ®