grc

Blind trust is no longer enough in the era of GDPR

Clouds are those blurred masses of condensed watery vapor floating in the sky whose gloomy nature often leads to questionings around their true physical state. Are they really tangible? Could we touch what we look up to? And above all, is there a difference between what we imagine seeing and what they truly are?

In the computing industry, “the cloud” means something else but it is above all a marketing trick: Tech firms would like you to believe it is something soft and fluffy but it is in fact a huge network of remote services – held together by countless pages of legal terms – hosting and managing data. And it’s not fluffy at all: At the end of the day, there is no “cloud”.

“The cloud” is tens of thousands of racks in datacenters filled with servers.

From the early days of computing and through the first phase of the Internet explosion up to the early 2010s, companies were mostly protecting their information internally, and they usually had some form of direct control over it. Most security standards and accepted good practices were drafted in that era and are still heavily inspired by a world where you could know where your data and your servers were.

In recent years, however, the development of massive computing and storing capacities in the hand of a few internet juggernauts led to the rise of the cloud economy. For the last decade, companies of all sizes — from tech startups to Netflix serving in excess of one hundred million users globally — have been moving their mission-critical servers and operations to the data centers of Google, Amazon, or Microsoft.

On the face of it, the development of Infrastructure as a Service (IaaS) should be good news for the state of cybersecurity. Economies of scale and their vast pool of talents should allow tech giants to dedicate much more resources into properly securing data centers. Servers should be easier to patch in a timely manner, state-of-the-art firewalls should be used and the physical location of these data centers should be heavily guarded. In this context, it is easy to believe that moving to the cloud could mean solving many of your cybersecurity issues.

It is also easy to believe that moving to the cloud would make your cybersecurity someone else’s problem. Nothing could be further from the truth. Of course, each organization retains its own regulatory obligations irrespective of how operations are technically delivered

For example, going to the cloud will not make any business GDPR-compliant in and by itself. In fact, all of the GDPR most important prerogatives around cybersecurity — adequacy of the protective measures, appropriate data management processes around consent, retention and deletion, etc. — do remain firmly within the organization’s remit. Not only is the CISO still a cornerstone of your GDPR strategy, but it inherits a new key role: That of dealing and interacting with Cloud vendors in this new world where your physical technology stack is delegated to someone else while the regulatory obligations remains firmly in your hands.

Looking at Amazon Web Services’ Shared Responsibility Model makes this dichotomy very clear.

AWS is responsible for the security “of” the cloud while you remain responsible for the security “in” the cloud — atop of which sits your consumer’s data. While a car manufacturer is responsible for the security of your car, you are ultimately responsible for driving safely.

Similarly, AWS will never prevent you from driving into a tree. In their own words: “AWS trains AWS employees, but a customer must train their own employees.”

Platform as a Service (PaaS), Software as a Service (SaaS) and all hybrid models of course bring up the same challenges, often compounded by their inter-dependence (e.g. a SaaS solution built on IaaS or PaaS services), and a real supply chain which can become blurred very quickly.

The issue brought by the shift to the cloud paradigm in cybersecurity is not one of adaptability but of adaptation. As such, a key role for the CISO is increasingly to act as a bridge between internal structures and cloud suppliers in order to ensure that all stakeholders are aware of all security requirements (driven by internal policies or regulation) and that all appropriate measures are in place.

This evolution in the role of the CISO epitomizes a fundamental trend in cybersecurity which centers more and more activities around governance, people and culture rather than technology, data and networks.

It does challenge organizational models as well as the profile of the CISO, and brings to the forefront vendor risk management practices: In the cloud, you are never sure of what’s really going on, your relationship with vendors is framed by contracts which are often one-sided, and a small SaaS provider carrying out sensitive business operations could expose your organization considerably.

For regulated industries (which isn’t in the age of GDPR?), blind trust will never be enough and being able to demonstrate a sufficient degree of due-diligence on key vendors will always be essential to defend against any liability in case of a data breach.

Welcome back to the “Trust-But-Verify” era…