IT governance and risk related to cloud security, interception and monitoring has become critical in the wake of the Prism scandal, said InfoSeal CEO Francis Cronje at the ITWeb 2014 governance and risk compliance.
"Edward Snowden's revelations about Prism, a surveillance data mining program used by the National Security Agency to force Internet companies to turn over their data, has resulted in 70% of key decision makers becoming sceptical of cloud providers across the globe," explained Cronje. "57% also stated that they are less likely to use the public cloud as a result."
Cronje cited additional reactions that have filtered through to government levels, with German chancellor Angela Merkel proposing a European communications network be built to help improve data protection and the French government seemingly backing this initiative.
"Despite companies reacting strongly to the NSA scandal, many companies say that they don't fully understand current data laws, with 60% admitting they don't know as much as they should about data privacy laws. Similarly, 44% are confused by privacy and security laws," said Cronje.
Furthermore, 77% stated that they would rather host their data in a highly secure, but latent facility than in a facility that guarantees top speeds but is less secure.
For a way forward if companies are going to interact with the cloud, Cronje advised that data privacy laws of countries where data will be hosted should be one of the key factors when companies select a cloud service provider.
"Service providers should reveal to companies their intention to transfer the information to a third country or international organisation, and the level of protection afforded to the information by that third country or international organisation."
Cronje also added that cloud service providers should secure the integrity and confidentiality of information under their control by taking appropriate, reasonable technical and organisational measures.
"This will help prevent loss of, damage to or unauthorised destruction of the organisation's information; and unlawful access to or processing of this information."
Safeguards should be continuously updated in response to new risks or deficiencies in previously implemented safeguards. Along with this, Cronje believes key contractual questions pertaining to backup and disaster recovery measures, irrespective of the information or data's location, should be asked.
"Do service providers have adequate oversight of any sub-processors (irrespective of their location) they use or might use and subsequent to that, do they have the necessary agreements and contracts in place to ensure the security of the organisation's information or data?"
"There's no doubt that most cloud service providers can facilitate this function better than most in-house IT departments and security remains top on the agenda," concluded Cronje.
Share
