Who Owns What? Your Data Protection Responsibility In The Multi-Cloud World

Rashi Mittal

In 2019, we expect to see three big patterns among our customers:

  • Enterprises will become more intelligent, by leveraging expanded capabilities for artificial intelligence (AI), machine learning, Internet of Things (IoT), and blockchain.
  • Companies will embrace a multi-cloud strategy by running SAP and non-SAP applications in the public cloud (Azure, AWS, Google Cloud Platform, and Alibaba Cloud). IDC has predicted that by 2020, over 90% of enterprises will use multiple cloud services and platforms.
  • Customers will need to focus on security, data protection, and privacy. Gartner forecasted that the worldwide spending on information security products will grow by 8.7% from $114 billion in 2018 to $124 billion in 2019.

A multi-cloud strategy not only challenges traditional norms of data protection and security but also raises many data sovereignty and data residency issues. For example, the global nature of the public cloud allows for worldwide collaboration, but the same trait also results in data accidentally wandering where it shouldn’t.

This can be especially problematic given the need to comply not only with EU’s General Data Protection Regulation (GDPR), but also new and varying data-protection regulations coming into effect in Brazil (General Data Privacy Law), California (California Consumer Privacy Act), India (Personal Data Protection Bill 2018), and other countries around the globe. The multi-cloud landscape and the new regulatory requirements beg for cloud governance, security, and compliance strategy and tools that can help automate data protection.

A number of customers have asked: Is there a need for other data protection solutions, when all hyperscalers—Microsoft Azure, Amazon Web Services, and Google Cloud Platform—have gone the extra mile to make their platforms secure?

This is a great question, and the answer is simple! All hyperscalers do a great job of securing their own platforms. But contrary to what you may think, protecting your most valuable assets (your data, customer information, and intellectual property) in the cloud is still your responsibility, not theirs. The public cloud providers endorse this idea under the well-known “shared responsibility model” discussed below.

What is the shared responsibility model?

When your data is in your own data centers, obviously your IT organization is solely responsible for protecting the data. But as you move data to the public cloud, the ownership line becomes fuzzy. The responsibility of data protection becomes shared between the cloud provider and you.

Broadly speaking, cloud providers are responsible for the security of the cloud itself, while customers are responsible for security and compliance requirements for their data in the cloud. In GDPR-speak, you are generally the “controller” of your data and take on all the compliance and regulatory requirements associated with your end users’ data. Therefore, your greatest cloud security needs are around monitoring and restricting access to your data.

To elaborate further, the physical security of data centers and hardware is fully owned by the cloud provider. The cloud provider also controls and secures the host operating system and the virtualization layer. While some responsibilities are shared between you and the cloud service provider, others are entirely your responsibility.

  • For example, you are responsible for all your data sitting in the cloud, whether the data is stored in cloud services (data stored in virtual machine disks, storage buckets, blobs, etc.) or the data is stored in applications running in the cloud.
  • You are also responsible for configuring and managing the security controls for the guest operating system and other apps (including updates and security patches), and for the security group firewall.
  • Encrypting data in transit and at rest is also your responsibility.

How to manage data protection responsibilities in the cloud

You should understand the division of responsibilities in the cloud to effectively manage your organization’s internal security, governance, risk, and compliance teams, and communicate with your external auditors and regulators.

Ideally, you should have real-time visibility and transparency into your data in the cloud. You should also have the ability to classify your data correctly, to implement data-loss prevention, to receive machine learning-driven anomaly detection, to control access to your data by internal employees and cloud provider employees, and to bring and own your own keys to encrypt your data in the multi-cloud environment.

This is why, to help with your governance, risk, and compliance obligations under the shared responsibility model, SAP has developed an easy-to-use SaaS application that will provide:

  • Public-cloud data protection, governance, and compliance
  • Contextual access control
  • Key management as a service (KMaaS)
  • Machine learning for anomaly detection
  • Risk and audit reporting
  • Data loss prevention
  • Data classification

Above and beyond best practices

In all, as a CFO/CIO/CISO/DPO, you need an accurate understanding of your security and risk posture as you move to the cloud. Given how high the stakes are with data protection these days, it’s important that you work with a trusted partner to help navigate the data-protection shared-responsibility model in the cloud and in turn, protect the confidentiality, integrity, and availability of systems and data in your enterprise’s growing cloud environments.

Learn more

Want to hear more how finance leaders are harnessing the power of technology innovations to transform their operations? Register today to attend the first-ever, complimentary online SAP Finance and Risk Management Virtual Event for an insightful experience of customers, experts, partners, and SAP executives discussing today’s pressing challenges and opportunities.

This article originally appeared on the SAP Analytics blog and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Rashi Mittal

About Rashi Mittal

Rashi Mittal is a director of product management/solution management for multi-cloud organization at SAP. She is working on product strategy, go-to-market, business development, and commercialization for an innovative and strategic data protection/data privacy solution for customers in the cloud: SAP Data Custodian. For this product, she has been driving partnerships with all the major public cloud providers. Rashi has her B.A. from Stanford and J.D. from Boston University School of Law. Rashi is a licensed attorney in California and New York. Prior to transitioning to product management, Rashi practiced as an attorney for PayPal and a major law firm in Washington D.C. She has extensive experience working on complex legal and business issues across many different industries. She loves hiking, traveling, and mentoring people interested in transitioning careers.