Security, risk, data loss, and legislation. These are the primary concerns listed by organisations and government institutions when asked why they are reluctant to move to the cloud. It is the perennial debate – will cloud put the data at risk? Isn’t on-premise more secure? How can the organisation ensure it is compliant in light of growing regulatory control over how data is accessed, protected and used? For many, the answer lies in the tried and trusted foundations of on-premise solutions that have weathered the storms so far. The problem is that this isn’t necessarily the right answer…
Some organisations remain convinced that on-premise is more reliable than the cloud. In Kenya, government guidelines recently approved by President Uhuru Kenyatta – safeguards that are considered to be on a par with the General Data Protection Regulation (GDPR) – have put immense pressure on organisations when it comes to data handling and sharing. When a company faces either a prison sentence or a hefty fine for violating the act, it makes sense for them to panic about security and be more prudent about with which provider to share their personal information with.
This trend is reflected in Nigeria, Ghana and Rwanda where legislation is influencing decision making when it comes to the cloud. In Nigeria, government industries have been advised to stay with their on-premise platforms. Rwanda has clamped down on its personal data protection with regulations around consent from individuals. South Africa is still toying with its Protection of Personal Information Act, but this is very likely to be signed into law fairly soon. These regulations are all essential in a time when data privacy and security are under scrutiny and the cyber-threat has never been more present. And it makes sense that companies are forming a protective circle around their information and question where and how a provider stores their data before investing into the cloud.
Due to the far-reaching hands of governments, data sovereignty is a primary concern of institutions moving to the cloud. Data sovereignty refers to the fact that information which is stored in the cloud is subject to the laws of the country in which it is physically stored. For some organisations this concern may be warranted, such as highly regulated government organisations storing highly confidential information. However, even highly regulated organisations are taking advantage of what the cloud has to offer by taking a hybrid approach.
For more sensitive confidential information, the data is stored on-premise, and other processes that are less sensitive, are outsourced to third party cloud providers. This is a reasonable approach. However, most companies don’t have the skilled manpower or budget to build a secure hybrid approach, or even an on-premise solution, which is why not moving to the cloud becomes a business risk.
At the same time the truth is that while many organisations cling to on-premise as the solution, it can be the most dangerous of the two.
Using or not using a cloud provider has no bearing on complying with privacy regulations, as long as adequate safeguards around personal information can be guaranteed. Privacy regulations stipulate organisations take into account the state of the art and industry prior to implementing new solutions. When looking into the information technology landscape today, we can see the moving to the cloud is the most secure, scalable, and reliable way to protect data.
“Professional cloud infrastructures are usually safer and more reliable than many on-premise platforms,” explains Anna Collard at KnowBe4. “One of the most common reasons for this is the lack of security resources organisation can employ. Security skills are hard to come by even globally, and in Africa we only have about 10 000 security professionals across the entire continent. Large companies such as Oracle have employed a security team that is bigger than all the African security professionals together.”
Cloud service providers are in the business of looking after their infrastructure and their client’s data, providing a level of assurance via ISO 27000, PCI DSS, Cloud Security Alliance and other security certifications. Microsoft Azure or Amazon Web Services (AWS) list of security certs is mind bogglingly long –a feat that is difficult to accomplish unless security or IT infrastructure management is your core business.
Another issue is that people often ask if the security on offer by the cloud service provider is the absolute best on the market. The real question should be whether the security is appropriate for the level of data and services being provided and where the data centre is located to ensure adequate data protection alignment.
“Cloud service providers consider all the angles from auditing to phishing to updates to patches and intrusion detection,” concludes Collard. “Their solutions are designed to not just meet industry standards, but to exceed them. This is not only to ensure the safety and security of the customer, but because their own reputation is on the line if they don’t deliver.”
According to ESG research in January 2020 67% of enterprises use public cloud infrastructure services to support their IT operations. That number is most likely going to increase even more so over the next few months with the Covid-19 pandemic forcing many organisations to set up work from home. There is no guaranteed road to risk-free business. Cybercrime is on the rise and it is exceptional sophisticated, leveraging human error and system vulnerability to gain access to systems and damage reputations. Ultimately the cloud is just a third-party provider, the responsibility over the data remains with the data owner, which is the business or organisation processing the data.
Performing a third-party risk assessment and reviewing the cloud provider’s security certifications should be standard practice to ensure adequate security will be applied, regardless of where the data is stored and should help greatly in the decision-making process.
While it’s perfectly understandable for the business to hold onto what it knows – the on-prem solution – cloud has become a powerful and reliable ally that can not only surpass most on-prem solutions, but can do so at a lower cost and with better security.