‘Limitations of liability’ – Who is ultimately liable for your data in the cloud?

July 12, 2022


John Michael, CEO, iStorage explains why organisations should be questioning the integrity of their data in the cloud and considering the methods and measures to ensure its safety.

While recent geopolitical tensions show little sign of abating, there does appear to be a consensus to avoid all out military conflict with the 30-strong trans-Atlantic alliance. But this doesn’t mean aggressors are impotent, turning instead to subtler and equally pernicious means to harm Western economies. In an age of ‘cybercrime-as-a service’, cyber-attacks, arising from both state-sponsored groups and hacking collectives, are now inflicting unprecedented levels of damage, with the Cisco CEO reporting it now costing USD $6 trillion per year.

According to the Allianz Risk Barometer 2022, cyber incidents have become the most important business risk, increasing in regularity and complexity. In a single month (May 2022), 49.8 million records were breached with extensive media coverage reminding organisations to be mindful of their responsibilities. Despite initial concerns about data hosted in the cloud, providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading.

A cybersecurity study found that 96% of organisations are moderately to extremely worried about cloud security, with data loss or leakage (64%), data privacy (62%) and accidental credential exposure (46%) their top three concerns. Indeed, the terms and conditions of many major cloud providers include a ‘limitations of liability’ clause which puts data security responsibility squarely onto the shoulders of the cloud user. Therefore, all users need to be conscious of using adequate and in many cases, more stringent measures when storing their data in the cloud, to confidently ensure wider stakeholders that it won’t be their company name making headlines.

Encryption and key storage

Our digitalised world is driven by data and its ability to provide valuable insights to inform key business decisions. When looking to establish more robust security measures for cloud data, a vital step is to consider encryption. By encrypting data, businesses can enhance the security of their files as well as any communications that take place between client apps and servers. Cloud providers will offer encryption as part of their service, which, on the surface makes the roles of IT and security personnel easier when this burden is taken away as part of a convenient managed service. However, there is a pitfall in relation to the way this data can be accessed.

Unlocking the stored data requires an encryption key. As this is often also stored in the cloud, it therefore has the potential to be accessible, not only by malicious threat actors, but also by anyone working on the systems that hold the data. Full encryption of data should therefore not be dependent on the cloud provider. To be truly secure, the user needs to have full control of the encryption key and to ensure that it is stored separately to their data. Following this approach will mean that, even if the cloud account is targeted and data falls into the wrong hands, it cannot be accessed.   

Controlling shared data

The more people that have access to the same shared data, the greater the challenge becomes to ensure its ongoing integrity. While encrypting data to be shared is imperative, posting encrypted USB flash drives to and from stakeholders, for example colleagues collaborating on a project, becomes time consuming and highly impractical. This is especially so when large groups of people are involved. Sharing encrypted data securely in the cloud allows for instant collaboration. Keeping the encryption key, which is itself encrypted with a PIN authenticated code, away from the cloud, increases the number of security measures from just one authentication – the cloud account login – to up to a five-factor authentication.

Another important aspect of ensuring data privacy around shared data is through centralised management. When data cannot be effectively monitored and managed, this can have severe implications for an organisation. As an example, an engineer at a US-based aerospace and defence company decided to travel to China, taking US missile defence secrets with him on a laptop. This was despite warnings from officials that by doing so he would be contravening company policy and federal law. The incident could have been avoided if the organisation had encrypted the data on the laptop or in the cloud, requiring an encryption key to unlock it and making it possible for geofencing restrictions to be put in place or confidential files removed.

Cloud is an enabler of modern business and the foundation for much of what is possible today. However, what might have been deemed good enough in terms of security last year will not necessarily offer the required levels of protection at a time when the cyber-threat is evolving so rapidly. Retaining full responsibility for the encryption and management of sensitive information even when stored in the cloud will bring companies the peace of mind that comes from ensuring compliance with privacy and confidentiality laws and ultimately, having safer data.

Learn more about managing, sharing and encrypting data in the cloud: istorage-uk.com/product/cloudashur/

Read Next

Security Journal UK

Subscribe Now

£99.99 for each year
No payment items has been selected yet