Close
  • Français
  • English

2016/12/14Cloud and data protection: a story of dangerous liaisons (By François GRATIOLET, Founder & Managing Partner, Business Digital Security)

Data, the new oil of the economy 

Cyber-attacks are becoming more global with targeted customer data, and intensified both in terms of frequency, financial impact and visibility:

 

  • Data breaches cost Target a significant drop in its profits, which was estimated at about 40% in the 4th Quarter of 2013
  • In October 2016, the company Talk Talk was finedby the Information Commissioner’s Office (ICO) regulator and had to pay £ 400,000 following the data theft of 150,000 customers’ records in 2015.

A company’s information assets represent a tremendous value, and the need for protection has never been more critical.

 

Data protection approaches are emerging despite technological oversupply

A pragmatic approach is to not “build a wall” around the IT infrastructure, but to protect the most valuable data for the company (i.e. “the Crown Jewels”) based on the value they represent for the company. These business-oriented approaches are recommended to senior executives by strategy consulting firms (AT Kearney, McKinsey …).

However, few companies have adopted a real data-centric approach:

  • Classification policies and data protection have been defined and documented, but are not or poorly enforced.
  • Some initiatives (such as the identification of sensitive data, data classification, access control for file servers, or deploying secure file sharing solutions, secured messaging solutions, Enterprise Rights Management solutions -ERM …) grow, but there of “holistic” strategy is still lacking.

The approach remains focused on IT and insufficiently on the data. This often leads to developing tech projects on a very small scope in terms of the number of users, without a large-scale deployment, in response to ad hoc audits and regulatory requirements. The main challenges remain to discover and identify the most valuable data.

Nevertheless, the global market for data security is flooded by a tsunami of technology solutions, many with overlapping features and with offerings very readable for customers. Forrester identified around 20 segments and over 200 suppliers in its Forrester TechRadar TM: Data security (Q2 2014), the market for data security in 2014 represented about 17% of technological IT security market.

  

Cloud adoption is accelerating

In a context of digital transformation (Know Your Customer, new services …), the cloud brings many benefits, and the adoption of the cloud regardless of its model (IaaS / PaaS / SaaS / DaaS) or its deployment mode (public / community / private) now cannot be avoidable.

The cloud also presents business risks to be aware of (with impacts in terms of image, financial losses or non-compliance, which vary by the company and its context) and to manage accordingly. These risks mainly relate to a breach of confidentiality of information assets that create value for a corporation’s business lines.

In addition, regulatory pressure, particularly in the financial sector, becomes very strong in different regions of the world (Autorité de Contrôle Prudentiel et de Résolution in France, Financial Conduct Authority in the UK, Financial Services Authority in Japan …) with a focus on the cloud and personally identifiable information (PII with EU General data protection Regulation), as well as obligations for critical operators (EU Directive NIS, LPM in France …).

The phenomenon of the cloud makes it difficult for large companies but also for SMBs and SMEs, to become aware of their responsibility for their data.

In practice, the key questions that customers should ask their cloud service provider (CSP) are both organizational, operational, sovereignty related, as well as legal, for examples (not exhaustive):

  • In which country is the cloud service provider established? Is the supplier infrastructure limited to one country or several countries?
  • Is the legislation applicable under the contract the same as the laws that may apply to the data (because of their place of processing…)?
  • Where will the data be stored physically? Can the supplier guarantee the immediate removal of customer data upon the end of the contract?
  • How is the data of the client company (belonging to the company or to its own customers) protected, processed and transferred?
  • How is the data encrypted by the cloud service provider? Is the client able to encipher data using cryptographic keys managed by itself?

 

The recent emergence of technological solutions to access the cloud securely

The needs to securely access the cloud and to protect data entrusted to the supplier have become a strategic business issue for customers.

Protecting critical data has become a huge challenge for corporations. Focusing initially on the data hosted in the cloud also allows to set up a concrete, pragmatic and actionable data protection approach across the organization.

Although cloud solutions tend to embed more and more “native” encryption capabilities, customers expect a data protection trusted third party that allows them, among others, to discover sensitive data leaving the company (in a not intentional or malicious way), to encrypt data with their own keys, to monitor access to public cloud services …

A market of specialist technology providers (called Cloud Access Security Broker-CASB by Gartner, or Cloud Data Protection-CDP by Forrester) grows at high speed. These solutions provide a single point of control for simultaneous access to multiple cloud services for any user or device.

 

This market has the following characteristics:

  • Actors in majority from the US or Israël
  • Avery strong competitive intensity. In 2015, Forrester identified 17 “pure players”: Actifio, Adallom, BetterCloud, CipherCloud, CipherPoint, CloudLink, CloudLock, Digital Guardian, NCrypted Cloud, Perspecsys, Porticor, Skyfence, Skyhigh Networks, Sookasa, Trend Micro, Vaultive, and Voltage Security
  • In the consolidation phase: for example, in 2015-2016, purchase of Elastica and PerspecSys by Blue Coat and Symantec, purchase of Adallom by Microsoft

 

The EU GDPR regulation, combined with the widespread adoption of the cloud by large or mid-sized corporations, will probably be one of the key drivers in the growing market of data protection in France and in Europe in the coming years.

Indeed, this regulation could impose fines of up to 4% of the total turnover of a company for serious data breaches resulting from negligence. Violation of encrypted data will not cause the same sanctions, which will have the effect of encouraging companies to encrypt their personal data. Thus, Skyhigh Networks announced in October 2016 the availability of a service called “GDPR ready”.

Although mature technological and operational solutions exist, they remain somewhat deployed in France and Europe. Major efforts of evangelization were performed by US-based vendors such as CipherCloud or Elastica (now Symantec) and helped to educate the market.

The CASB or CDP market still remains a niche market, but is considered to have a very high potential (market estimated at $ 7.51 billion in 2020).

Thus, innovative French players like the company Difenso, are now positioning themselves on the French and European market, enhancing encryption and key management capabilities, and provideing an interesting alternative to US-based offerings.

 

[1] http://www.wired.co.uk/article/talktalk-fine-hack-400000

[2] https://www.atkearney.com/paper/-/asset_publisher/dVxv4Hz2h8bS/content/the-golden-rules-of-operational-excellence-in-information-security-management/10192

[3] Forrester TechRadar TM: Data security, Q2 2014

[4] Le cloud et le faux sentiment de propriété (https://business-digital-security.com/cloud-and-the-false-sense-of-data-ownership/

[5] Market Overview: Cloud Data Protection Solutions (February 25, 2015)

[6] http://www.globalsecuritymag.fr/Skyhigh-Networks-propose-un,20161004,65901.html

[7] http://www.marketsandmarkets.com/PressReleases/cloud-access-security-brokers.asp

[8] https://www.difenso.com