Published first in the Practical Law In-House Blog.
The cloud (access to on-demand, scalable, pooled, remote IT resources paid for “as you go”) is now in mainstream and IT on-premise (traditional IT infrastructure located at the user’s site) is rapidly migrating to it.
In-cloud provides attractive benefits, including:
- Provisioning flexibility.
- Access to new services.
- Assisting digital transformation.
- Speed of deployment.
- Cost efficiencies.
However, businesses now operate in an increasingly intrusive regulatory environment that emphasises the importance of data security, data sovereignty, data residency, data privacy and data rights. All these issues need to be managed effectively when migrating IT workloads to the cloud to secure the potential benefits.
A central feature of this transformational change is the epic migration now underway in enterprise (large organisation) computing from on-premise to in-cloud, where the cloud’s share of enterprise IT is forecast to rise from around 10% today to just under 50% by 2026. The development of the enterprise cloud is as significant as the migration of electricity generation from factories to the National Grid in the 1930s but there are many more facets as each component of IT infrastructure (power, network, memory, storage and software) gets the cloud’s “as a service” treatment.
Cybersecurity risks and threats
As enterprise cloud uptake increases, so do the cybersecurity risks and threats. The UK’s National Cyber Security Centre (NCSC), part of GCHQ, recognises that, from a security perspective, using a Cloud Service Provider (CSP) which has made the “right security investments” can give several advantages. Large CSPs, with many thousands of security professionals, may well offer better security than an equivalent on-premise installation. However, cloud security is a major part of perceived cybersecurity risks and threats, and as the NCSC noted in its The cyber threat to UK business 2017-2018 report:
“Only 40% of all data stored in the cloud is access secured, although the majority of companies report they are concerned about encryption and security of data in the cloud. As more organisations decide to move data to the cloud (including confidential or sensitive information) it will become a tempting target for a range of cyber criminals. They will take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored.”
Cloud security, compliance and governance frameworks
In response to these threats, organisations are establishing cloud security, compliance and governance frameworks to manage the range of cloud security duties that apply to them and to assess, advise on and assist in managing the risks involved. The first step in this process is to create a checklist of the sources of cloud security duties that may apply to the enterprise. These obligations are diverse, increasingly far-reaching, and will vary by industry sector. The enterprise will need to consider its own regulatory duties, those of its customers and supply chains, and other generally applicable information security obligations. Enterprises will also need to consider multiple (and potentially conflicting) cloud security obligations across their international operations. These duties break down into the following categories.
- Applicable sector-specific regulatory duties.
- Generally applicable security and data regulatory duties, such as:
- data protection.
- data sovereignty.
- data residency; and
- network and information systems security.
- Other generally applicable business regulation (for example, directors’ duties requirements in the Companies Act 2006).
Non-contractual civil law duties
- Negligence. Where the duty to take “appropriate technical and organisational measures” to keep data secure in the cloud is emerging as the cybersecurity yardstick by which the normal tortious duty to “take reasonable care” looks likely to be measured.
- Other civil liabilities including:
- breach of confidence;
- fiduciary or statutory duties;
- misuse of private information; and
These may be between the:
- CSP and the enterprise.
- CSP and its supply chain.
- Enterprise and its customers.
- Enterprise and its supply chain.
Internal policies and procedures applicable to staff and contractors
These include policies and procedures on:
- GDPR compliance.
- Training and awareness.
- Duties of confidentiality.
- Device and password controls.
- Vulnerability assessment and penetration testing.
Cloud security best practice
Organisations are increasingly developing their own cloud security best practices, and there is an array of best practice guidance available from the CSP, public sector and enterprise user communities. For example, the NCSC’s guidance provides practical detail and context on its 14 Cloud Security Principles:
- Data in transit protection.
- Asset protection and resilience.
- Separation between users.
- Governance framework.
- Operational security.
- Personnel security.
- Secure development.
- Supply chain security.
- Secure user management.
- Identity and authentication.
- External interface protection.
- Secure service administration.
- Audit information for users.
- Secure use of the service.
An important element of this structured approach to cloud security is showing how the CSP can provide assurance that it will meet its security commitments. The NCSC paper Having confidence in cyber security explains the ways in which cloud buyers can determine and demonstrate compliance with the cloud security principles. For example, through:
- CSP assertion.
- CSP contractual commitment.
- Third-party certification.
- Independent testing.
Here, the combination of [contractual commitment] + [accredited standards certification] + [reserving the right to carry out independent testing] is emerging as market practice.
Enterprise cloud migration is set to gather pace in the coming months and years, bringing a wide range of IT benefits to large organisations. As we have seen recently with GDPR, security is in the public eye, and legal duties to keep cloud data secure are becoming more onerous. Balancing cloud benefits and security duties is a critical success factor for organisations in their cloud operations.
Ensuring that cloud security (the mix of legal, technical, operational and governance measures to achieve a desired information security outcome) is high on the corporate agenda, and establishing effective cloud security governance frameworks (and the policies, procedures and processes that underpin them) will be vital as enterprises continue to shift their computing workloads “off prem”.