The use of cloud computing is becoming ubiquitous because of its inherent advantages- from flexibility to simple onboarding.
But on the other hand, there are growing security issues such as the ones experienced by banks in Australia. Are there lessons for companies in other geographies?
W.Media’s digital event ‘South Asia Cloud Security Market Insights’discussed ‘Cloud Migration Security Challenges & Mitigation Strategies’. The panel was moderated by Mubin Shaikh, Partner & Leader, Cyber Security, BDO in India. The panellists included Mansi Thapar, Global Head- Information Security, DPO, Jaquar Group. Tirthankar Dutta, VP & CISO- Star & Disney India, The Walt Disney Company. Shaik J Ahmed, GM & Head- Information Security, Renault Nissan, Technology Business Center India and Parag Deodhar, Director- Information Security- APAC, VF Corporation.
Regulatory Risks
Regulations in different countries are constantly evolving. There is GDRP (Gross Domestic Regional Product), and now CCDA (Cisco Certified Design Associate) which has come in.
Most Asian countries have their own regulations and they talk about data localisation, cross water data transfer, and other requirements. India is also now coming out with its own privacy laws.
“When we are in a business that decides to start using cloud and decides to store information data on cloud, along with the company data depending on the application they use and the customers they serve there could be customer data which could include personal details that could be stored on cloud.
It becomes important for businesses to understand the regulatory requirements for their specific companies or businesses and keep that into account while creating their cloud migration strategy,” said Parag Deodhar, Director- Information Security- APAC, VF Corporation.
He further added that it is important for organisations to understand where their data is going and which cloud service they will opt for whether it is the SaaS or PaaS service.
The organisations often believe that the cloud service provider is GDPR compliant or the cloud service provider has the ISO certification and think that these factors lead to security. But it originally depends on the service that the organisation is opting for and where the data is getting stored. Proper risk assessment from a regulatory and data privacy perspective is extremely important.
Other considerations, GDPR for example provides customer’s right to forget, which means if the customer doesn’t want their data to be shown or wants you to delete it from your systems.
“How will you ensure that when the data is stored on cloud then from an availability perspective it is stored on different cloud databases. There are requirements related to incident management, right to audit and others. Depending upon the kind business and regulations, keeping the requirements in mind one needs to decide the strategy of cloud migration accordingly,” added Deodhar.
Migration Challenges with latest technologies
“If you look at all the data stored on cloud and all the applications, APIs are becoming popular. The service providers, analytics providers, and others will use these APIs and the data will go out of your databases through these APIs.
It is important to secure these APIs as well. From an analytics perspective, it is not just AI/ML but also from a data perspective which has triggered cybersecurity where data leaks are used for monetisation that becomes a challenge for all companies.
“It is important to keep the basics in mind, it is important to understand the data flow, where the data is going and follow the data. The data protection has to be data-centric, one cannot look at it from an application, system, or infrastructure perspective.
Just follow the data trail and understand what data is getting stored where. Store the data where it is required. If the organisation needs to store confidential data on cloud it is important to make sure that the right technology is in place and encryption is in place,” added Deodhar.
He further pointed that there are various security tools available but it depends on the organisation, based on their requirements. It is also important to look at the basics and follow the data trail and know what data is being used and where it is being stored and secure it accordingly. Doing a risk assessment is important.