Cloud providers work on economies of scale, and for better resilience, efficiency and speed, store data in multiple locations. An even bigger complication arises when the business uses multiple cloud services for its purposes. So, unless the business has enough funds to pay for several geographically dispersed private cloud systems, they would depend on the cloud service provider to store data as they see fit, meaning that they wouldn’t have any control over where the data is stored.
Adapting a cloud business to any location takes resources – time, effort and considerable planning. In addition to local competition, infrastructure, ecosystem requirements and market considerations, local laws and regulations also demand serious consideration. Several developing markets – the CIS region, Africa and the like require compliance with strict regulations, especially when it comes to data and cloud usage. With nations across the world upping their ante over data protection and privacy, compliance is only likely to get more stringent in the future. This has resulted in significant challenges for local businesses looking to shift their data to the cloud or businesses looking to expand to different locations. We take a look at some of them:
As an increasing number of businesses switch to cloud services, data protection regulations are simultaneously being tightened considerably across the world. After the EU’s GDPR and India’s draft Data Protection Bill, several countries are following suit. The move towards cloud computing, and the impending shift to the edge cloud, may expose a compliance gap, especially when it comes to personal data. With the edge cloud executing data collection and storage at the source of generation, stricter regulations would not be a challenge for businesses. With data localisation laws coming up in the interest of data privacy and security, using the cloud can become an even bigger problem.
Multiple Clouds, Multiple Challenges
Regulations primarily deal with what type of data is stored (whether it is personally identifiable, sensitive, classified etc) and where it is stored. For organisations with in-house systems including their own databases, archives and storage, identifying both would not be a problem. The storage of most, if not all of their data would necessarily be local. So they can set up systems such that data pertaining to a certain geography is stored and processed within that region. Using a cloud service, or an edge cloud setup, on the other hand, makes it difficult to control the location of data. This data will both be processed at the location of the customer, and sent back to a central cloud from time to time for various operational reasons.
start with this para first —-
The risk to security, especially those from a legal compliance perspective, arise from the fact that with the cloud, businesses may have limited knowledge or control over where the data is stored. Privacy breaches occur frequently, and with such a major ceding of the control of data by corporations, they need to be vigilant about the security practices adopted by cloud service providers.
How Businesses Can Adapt
There are several steps that businesses can take to ensure compliance and adapt to local challenges.
One such step is to limit the use to specific cloud service providers who have transparent policies on data location. Businesses can carefully audit their data and actively identify personal data. After such identification, they can ensure that the storage and processing of this sensitive data comply with local regulations. They can also implement client-based encryption to enhance security and reduce the risk of data loss in case of hacking.
Another step to take is to carefully audit and negotiate service level agreements (SLA) with cloud service providers. It is unlikely that the service provider’s standard terms and conditions would meet the requirements of all business, regardless of their size or scale of operations. It is advisable to first closely examine the agreement to check whether its terms meet the requirements. No matter how large the vendor is or how small the business is, cloud vendors are usually agreeable to some changes in their terms to increase the comfort of the business.
From a security standpoint – it’s worth noting that data is essentially being handed over to a third party to store and process. Businesses therefore need to ensure that the service providers they choose have secure user identity management, access control and authentication mechanisms in place. In addition to data localisation laws, businesses must also ensure compliance with any data security regulations of the region they are operating in.
Cloud computing may pose some risks, both to security and to local compliance, but if organisations take care to ensure data privacy and security, the challenges are far from insurmountable. Further, the risks are likely to diminish as security innovations catch up with the cloud computing technology. Everyone, be it businesses or local governments, is new to the advances in cloud computing technology, and the potential threats need to be addressed before a comfort zone is reached and compliance becomes less complex.