Who is liable for your data in the cloud?

By John Michael

In an age of ‘cybercrime-as-a service’, cyberattacks, arising from both state-sponsored groups and hacking collectives, are now inflicting unprecedented levels of damage, with the Cisco CEO reporting it now costing USD $6 trillion per year1. According to the Allianz Risk Barometer 20222, cyber incidents have become the most important business risk, increasing in regularity and complexity. In a single month (May 2022), 49.8 million records were breached3 with extensive media coverage reminding organisations to be mindful of their responsibilities.

Despite initial concerns about data hosted in the cloud, providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. The terms and conditions of many major cloud providers include a ‘limitations of liability’ clause which places data-security responsibility with the cloud user. More stringent measures, therefore, should be considered when considering cloud storage.

Encryption and key storage

When looking to establish robust security measures for cloud data, a vital step is to consider encryption. Cloud providers will offer encryption as part of their service, which, on the surface makes the roles of IT and security personnel easier when this burden is taken away as part of a convenient managed service. However, there is a pitfall in relation to the way this data can be accessed.

Unlocking the stored data requires an encryption key. As this is often also stored in the cloud, it therefore has the potential to be accessible, not only by malicious threat actors, but also by anyone working on the systems that hold the data. To be truly secure, the user needs to have full control of the encryption key, and to ensure that it is stored separately to their data. Following this approach will mean that, even if the cloud account is targeted, the data it contains cannot be accessed.

Controlling shared data

While encrypting data to be shared is imperative, posting encrypted USB flash drives to and from stakeholder becomes time consuming and highly impractical. Sharing encrypted data securely in the cloud allows for instant collaboration. Keeping the encryption key, which is itself encrypted with a PIN authenticated code, away from the cloud, increases the number of security measures from just one authentication - the cloud account login - to up to a five-factor authentication.

1 SDX Central (2021): Cisco CEO – Cybercrime damages hit $6 trillion

2Allianz (2022): Allianz Risk Baromter 2022: Cyber perils outrank Covid-19