A move to the cloud cannot result in a loss of control of data, as due diligence should be done before and during the outsourcing process.
Speaking at the SC Magazine Data Protection Summit in London, G4S technology director Glyn Hughes said that internal due diligence and continual assessment needs to be done when it comes to the cloud.
Hughes said the concept of cloud computing was discussed by his board in 2008, and by 2009 it was called 'sophisticated and scalable', but said that "users need not have expertise or knowledge of the technology infrastructure that supports them". However he said that an early challenge was the opportunities of lower barriers to entry, device independence and standardisation, which "allowed business managers to bypass IT departments".
“Do you surrender control of security and data protection? Absolutely not. Data protection control lives with you as you are the buyer not them as the vendor. Also, agile competitors who care less about due diligence can pose a real threat – we saw the potential to be a significant IT change and that has pretty much borne out,” he said.
Looking to the present, Hughes said that there are now real risks, as the vendors are very different and there is a take it or leave it attitude to contracts and infrastructure, and that managing it by humans remains very important.
“When it comes to support, it can be frustrating if you are used to dealing with vendors and yours is a small voice among many,” he said.
“Also, you need to have control over your systems and this is the case with cloud systems, and how you can be sure the data is your data. It is down to individual users to apply classifications to data and don't stop mis-classifying it.”
He also claimed that managing risks starts with understanding and education of business of circumventing IT and more often than not, keeping IT and governance in the loop. He encouraged reviewing your risks and assessing again, saying that this is "all based on risk assessment and to do that with cloud, you need to boil down a cloud solution to the data centre, network and assess as if it were on-premise".
Echoing comments made earlier by the Information Commissioner's Office, Hughes said that just because data is in the cloud, it doesn't mean that you need to do less. He said that G4S has produced guidelines for data protection internally, and concluded by encouraging delegates not to treat cloud as an entity, but deconstruct it "as it is your data".