Cloud-based storage greatly increases cyber security exposures: PanelPosted On: Mar. 6, 2013 12:00 AM CST
NEW YORK — As if managing the risk of data breaches and losses isn't complicated enough, incorporating cloud-based data storage services can greatly exacerbate an organization's cyber security exposures, cyber risk experts say.
More and more companies are turning to cloud computing as a low-cost alternative to in-house data management, many without fully understanding the attendant financial and legal liability exposures they face by outsourcing the protection of sensitive corporate and customer information, panelists said Tuesday at Business Insurance's 2013 Risk Management Summit in New York.
“It really does make life a lot more complicated when you move your data outside of your four walls and into this amorphous place,” said Doug Pollack, chief marketing officer at Portland, Ore.-based ID Experts Inc.
A key challenge for risk managers whose companies are contemplating moving some or all of their data management systems to a cloud-based platform, panelists said, is the jurisdictional ambiguity surrounding the technology, both in terms of data security and breach notification laws, as well as contract law regarding service providers.
“Standardization matters,” said Emily Cummins, director of tax and risk management for the National Rifle Association, noting that while many developed countries were deemed broadly “cloud-ready” in a 2012 study by the Washington-based Software Alliance, that same study also noted significant gaps in alignment among those countries' legal and regulatory climates where cloud computing is concerned.
“Cloud computing requires a network of laws and regulations as a base,” she said.
That lack of regulatory cohesion among developed nations has made it difficult for risk managers to determine whether their third-party cloud service provider has assumed an appropriate percentage of the financial and legal liability in the event of a service outage, accidental loss of data or data theft, panelists said.
“As we've already seen, there is very little visibility and control over the security of data in the cloud,” said Solange Ghernaouti, director of the Lausanne, Switzerland-based Swiss Cybersecurity Advisory and Research Group at the University of Lausanne. “The question becomes, who is responsible for guaranteeing confidentiality and integrity of that data? That's the main problem.”
Panelists said that while reported incidents of cloud-based data breaches have been scarce among manufacturers, software companies, communications firms and financial institutions, risk managers should not assume the technology can be implemented easily or without thorough risk analyses and data security control tests.
“There may have only been a few breaches so far, but risk managers have jobs and attorneys have jobs because the world continues to change,” said Scott Godes, a Washington-based attorney at Dickstein Shapiro L.L.P.