Manage Learn to apply best practices and optimize your operations.

Why the cloud is a smokescreen for third-party data security risks

While companies are fixated on the security risks of data in the cloud, recent data breaches indicate that business partners present equal risk.

Much has been written about how to secure data that's hosted in the cloud, and there's no question that company information residing there raises poses profound data security risks.

Steve WeissmanSteve Weissman

But an issue that has received far less discussion is the need to apply the same scrutiny to data held by organizations that are closer to the ground, so to speak. Consider your company's business partners, for example: You may share sensitive information with partners, even though they are not cloud service providers.

Sending this data outside your company's four walls presents security challenges as well, and companies need to apply the same level of rigor and skepticism to third parties that they do to cloud-based services.

Mission: Control

This lesson is extrapolated from the recent security breaches at Target, Michael's, Neiman Marcus and Bank of America, among others, during which the sensitive information of more than 70 million people ended up in the wrong hands. In these instances, the afflicted were consumers like you and me, and the unfortunate truth is that the outcome was the same for folks who write their PINs and passwords on the back of their credit cards as for those who lock their information down tight.

For more on information governance

Data security in the cloud is about sharing responsibility

Being format-agnostic in records management

Three ways to ensure that corporate content is secure

The implications of these security breaches is that it didn't matter whether the affected folks tightly controlled access to their important data: Once they turned information over to a retailer -- or "business partner" -- there was nothing more they could do to prevent the breach from occurring or to limit the scope of the damage.

This is how it is in the business world as well. As hard as we try hard to promulgate policies of protection, our efforts are necessarily limited to the confines of our own organizations. The fact is, once we relinquish direct control over our information by passing it to, say, a vendor from which we electronically order and pay, all we can do is hope the right things happen next.

It's not the cloud; it's governance

As noted, many virtual and print pages have been devoted to describing the kinds of nightmares that can develop when your cloud-based data is hacked. But as the situations at Target et al. indicate, the issue isn't limited to the cloud, and it isn't a function of where the data is hosted anyway.

Rather, it's all about governance, which I often describe as regulating the "care and feeding" of organizational information. One objective is to minimize the risk of data misuse, and this applies not only in the cloud but to the affiliates your operations tie into: suppliers, fulfillment houses, contract call centers, records archives, etc.

Companies need to apply the same level of rigor and skepticism to third parties that they do to cloud-based services.

When advising clients about their strategies for the cloud, I constantly reinforce the need to incorporate the answers to the big questions about a provider's service-level agreement (SLA). Thanks to these recent high-profile breaches, I'm now singing the same song when the conversation turns to interoperability with external systems. The goal is to encourage companies to take the same approach with partner agreements as with cloud contracts to ensure clarity, accountability and remediation regarding data protection and issue response.

This is where SLAs and management become critical, so you need to map out your SLAs and the questions you will ask in advance of these agreements. If you are working with partners, here are just a few of the questions to ask:

  • What kinds of security technologies and protocols are in place to secure information where it resides?
  • How do and will these systems work with your systems?
  • Who's responsible should a breach occur? How is this determined?
  • What are the limits of liability?
  • What is the recourse, and are there different outcomes associated with different kinds of breaches?
  • What procedures are triggered after a breach occurs?
  • What notifications need to be sent, how quickly, to whom and by whom?

The bottom line is that you need to think about any party with which you share information in the same way you think about a cloud provider. In "regular" business relationships, the issues are just as important as they are in the cloud. Like it or not -- and realize it or not -- all of you are in it together, and what happens to them certainly affects you.

Dig Deeper on Cloud-SaaS content management (ECM)

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you send company data to third parties, and what has your experience been?
Yes risk of exposing confidential d data use of appropriate data Outsourcing certain components of your business process helps the organization to shift certain responsibilities to the outsourced vendor
I agree that "The bottom line is that you need to think about any party with which you share information in the same way you think about a cloud provider."

In many of these environments, my Data is NOT under my control, NOT in a computer within in my organization and I may not have information about who can access my data, maybe administrators or other tenants. I may be sharing disk, memory and other infrastructure components with parties that I don’t know about.

They maybe stealing my data. Therefore I think that all sensitive data should be encrypted or tokenized before it is sent to the provider.

Below are a few words of guidance from the payment card industry, PCI SSC. The guidance is applicable for all sensitive data that is sent to the cloud and other providers.

If you outsource to a public-cloud provider, they often have multiple data storage systems located in multiple data centers, which may often be in multiple countries or regions. Consequently, the client may not know the location of their data, or the data may exist in one or more of several locations at any particular time.

Additionally, a client may have little or no visibility into the controls protecting their stored data. This can make validation of data security and access controls for a specific data set particularly challenging.

In a public-cloud environment, one client’s data is typically stored with data belonging to multiple other clients. This makes a public cloud an attractive target for attackers, as the potential gain may be greater than that to be attained from attacking a number of organizations individually.

I recently read an report from the Aberdeen Group that revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”. The name of the study is “Tokenization Gets Traction”.

Ulf Mattsson, CTO Protegrity
Thanks, Ulf, for pointing out encryption and tokenizing as steps organizations can take to mitigate this risk. Thanks, too, for reminding folks about the international considerations, which few people think about but can be highly problematic. Case in point: I remember an instance a few years ago in which a Canadian federal agency added Google Analytics code to their Web site without realizing that data would be stored and processed in California -- which is to say, not in Canada. It was so easy to do that no one gave it a second thought!
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags ( let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
That may be a good way to get your stuff back, but it doesn't seem to have anything to do with protecting the information inside, which is a whole different issue.
Small companies not equipped to enforce security policies on those third parties larger companies equipped to force expert developed policies even issue company owned hardware third parties do elevate the level of risk to a business