Who Owns What? Your Data Protection Responsibility in the Multi-Cloud World
Note: Some of the features and functionalities discussed in this blog post are not yet available. For more on the roadmap for SAP Data Custodian, visit the product page.
In 2019, we expect to see three big patterns among our customers:
- Enterprises will become more intelligent, by leveraging expanded capabilities for artificial intelligence (AI), machine learning, internet of things (IoT), and blockchain
- Companies will embrace a multi-cloud strategy, by running SAP and non-SAP applications in the public cloud (Azure, AWS, Google Cloud Platform (GCP) and Alibaba Cloud). IDC has predicted that “by 2020, over 90% of enterprises will use multiple cloud services and platforms…”
- Customers will need to focus on security, data protection and privacy. Gartner forecasted that the worldwide spending on information security products will grow by 8.7 percent from $114 billion in 2018 to $124 billion in 2019.
A multi-cloud strategy not only challenges traditional norm of data protection and security, but also raises many data sovereignty and data residency issues. For example, the global nature of the public cloud allows for worldwide collaboration, but the same trait also results in data accidentally wandering where it shouldn’t.
This can be especially problematic given the need to not only comply with EU’s General Data Protection Regulation (GDPR), but also new and varying data protection regulations coming into effect in Brazil (General Data Privacy Law), California (California Consumer Privacy Act), India (Personal Data Protection Bill 2018) and other countries around the globe. The multi-cloud landscape and the new regulatory requirements beg for a cloud governance, security and compliance strategy and tools that can help automate data protection.
A number of customers have asked me, Is there a need for other data protection solutions, when all hyperscalers—Microsoft Azure, Amazon Web Services, and Google Cloud Platform—have gone the extra mile to make their platforms secure? This is a great question and the answer is simple! All hyperscalers do a great job of securing their own platforms. But, contrary to what you may think, protecting your most valuable assets (your data, customer information, and intellectual property) in the cloud is still your responsibility, not theirs. The public cloud providers endorse this idea under the well-known “shared responsibility model” discussed below.
What Is the Shared Responsibility Model?
When your data is in your own data centers, obviously, your IT organization is solely responsible for protecting the data. But, as you move data to the public cloud, the ownership line becomes fuzzy. The responsibility of data protection becomes shared between the cloud provider and you.
Broadly speaking, cloud providers are responsible for security of the cloud itself, while customers are responsible for security and compliance requirements for their data in the cloud. In GDPR speak, you are generally the “controller” of your data and take on all the compliance and regulatory requirements associated with your end users’ data. Therefore, your greatest cloud security needs are around monitoring and restricting access to your data.
To elaborate further, physical security of data centers and hardware is fully owned by the cloud provider. The cloud provider also controls and secures the host operating system and the virtualization layer. While some responsibilities are shared between you and the cloud service provider, others are entirely your responsibility.
- For example, you are responsible for all your data sitting in the cloud, whether the data is stored in cloud services (data stored in virtual machine disks, storage buckets, blobs etc.) or the data is stored in applications running in the cloud, such as SAP SuccessFactors, SAP HANA Enterprise Cloud, and SAP Cloud Platform.
- You are also responsible for configuring and managing the security controls for the guest operating system and other apps (including updates and security patches), and for the security group firewall.
- Encrypting data in-transit and at-rest is also your responsibility.
How to Manage Your Data Protection Responsibilities in the Cloud?
You should understand the division of responsibilities in the cloud to effectively manage your organization’s internal security, governance, risk and compliance teams, and communicate with your external auditors and regulators. Ideally, you should have real-time visibility and transparency into your data in the cloud. You should also have ability to classify your data correctly, to implement data loss prevention, to receive machine learning driven anomaly detection, to control access to your data by internal employees and cloud provider employees, and to bring and own your own keys to encrypt your data in the multi-cloud environment.
This is why, to help with your governance, risk, and compliance obligations under the shared responsibility model, SAP has developed an easy-to-use, SaaS application—SAP Data Custodian—which will provide you on Microsoft Azure, Google Cloud Platform, Amazon Web Services (coming soon) and Alibaba Cloud (coming soon) with:
- Public-cloud data protection, governance and compliance
- Contextual access control
- Key management as a service (KMaaS)
- Machine learning for anomaly detection
- Risk and audit reporting
- Data loss prevention
- Data classification
This solution with a robust visualization dashboard and configurable policies, will not only help prevent unauthorized access by internal employees, but it will also help provide full visibility and control of accesses by the cloud provider (GCP, Azure, AWS, Alibaba Cloud). With SAP Data Custodian, you won’t have to sweat data protection. You will be able to automate many components, and enjoy the benefits of intelligent enterprise, a multi-cloud strategy, and a heightened level of data protection, privacy, and security!
Above and Beyond the Cloud Security/Data Protection Best Practices
In all, as a CFO/CIO/CISO/DPO, you need an accurate understanding of your security and risk posture as you move to the cloud. Given how high the stakes are with data protection these days, it’s important that you work with a trusted partner, like SAP, to help navigate the data protection shared responsibility model in the cloud and in turn protect the confidentiality, integrity, and availability of systems and data in your enterprise’s growing cloud environments.
Note: Some of these features and functionalities discussed in this blog post are not yet available. For more on the roadmap for SAP Data Custodian, visit the product page.