back to article Pop quiz: Who's responsible for data protection compliance in the cloudy era? If you said 'dunno', you're not alone

A new survey published by Microsoft shows the extent of confusion in businesses about how to comply with data protection regulations in the cloud era. The Windows giant sponsored a survey by the Ponemon Institute, which approached 30,000 IT or infosec practitioners in the US and European Union, of whom just over 1,000 …

  1. Brian Miller

    Point scores based on what?

    "Conceal information with lock screen" gets 27 points. Why 27? It's like getting experience points from a dungeon master. What's the rationale for it? I have no clue.

    The problem with all of this cloud computing is that so many use it like it was plugged in locally. It isn't. And a lot of the server software, like Nginx, wants important secret things, like private keys, out in the open. Sorry, encryption for important private data is available, but the server just doesn't support that. Why?????

    So much of this is based on one lame hack after another. One would hope that the major corporations would come out with a brilliant product, but I think we've all been through the muck that is IIS. I am waiting for adversarial neural networks to learn to write code. We just might wind up with something better than the usual dreck.

    1. b0llchit

      Re: Point scores based on what?

      ...gets 27 points. Why 27?

      Easy, the marketing department has determined that the dungeons are more valuable than the dragons. If you lock the dungeon, then the dragon will fail to enter. The magician holds the key until the spell of random predictability is cast. Then hell breaks loose and we see the burn-in on the dungeon screen, which the dragon uses to unlock the sword of data trimming. Marketing found that it takes 27 turns to the end of the world.

      Therefore, you get a score of 27.

    2. big_D Silver badge

      Re: Point scores based on what?

      No idea what they are based on.

      We have Microsoft 365, but we have disabled Sharepoint online, Exchange online, Teams, AzureAD is not linked to our local domain and it uses anonymous usernames. We get 0% compliance for all of that... :-S

  2. Dan 55 Silver badge

    Is it easier to comply with regulations like the EU's GDPR with cloud or on-premises systems? Here there is no consensus, though the figures slightly favour cloud.

    That's marketing convincing the easily-lead that obviously wrong things are right for over a hundred years.

    1. a_yank_lurker Silver badge

      I would say compliance is tricky on the cloud because you have to give up some control of the data (e.g. where is physically stored, etc.). But for small organizations the cloud might overall be better for compliance as they are probably weak in IT resources. However for a large organization who can afford the IT resources in house in likely to better for compliance as you have complete control of the data.

      1. The Nazz Silver badge

        complete control over the data .........what, like Morrisons Supermarkets?

    2. big_D Silver badge

      At the end of the day, I'm responsible for my data and any breach, even if the cloud provider screws up, my neck is on the block. The cloud provider may also be held responsible, but in the first line, my data, my responsibility.

  3. Anonymous Coward
    Anonymous Coward

    Small bias sample and probably many are guessing at questionaire responses.

    In the Microsoft - Ponemon report if breaks down the respondents by number and type. Only ~3.5% of ~30,000 bothered to reply, probably typical of self-administered and potentially with considerable bias from people that things are good or bad with the usual majority don't care about the survey or possibly out of scope. Of those that did respond 36% came from regular staff or technicians. From my experience non-management regular staff and technicians would not have access to executive and/or management decision making and their answers would be based on their imagination. Its a marketing exercise, at least I give them credit for detailing the sample sources.

  4. jake Silver badge

    Well, speaking as the Boss ...

    ... I'd have to say that ultimately I am 100% responsible.

    After thinking long and hard about the problem, I have come to the conclusion that SaaS, PaaS and other cloudy nonsense adds at least one more layer to my corporate security (and often several more layers), and thus increases the size and quantity of potential attack vectors. As a direct result, how can I say it makes data protection compliance better with a straight face?

    So I don't use cloud. It's inherently far less secure than keeping it all in-house.

  5. 0laf Silver badge

    Are you the Data Owner? Then it's largely your problem.

    The cloud supplier is a data processor certainly and has some responsibility but where the configuration of the cloud service is down to you then that problem comes all the way back to you, the data owner.

    Where is gets cloudy {many lols :-| ) is that vendors like to imply they give your data complete security and that they are complety solid on providing you a platform to host PII data. Which is true IF you buy the right services and configure them correctly.

    If you buy the cheapest no frills option and stick it in vanilla, you'll get nailed and the cloud vendor is not going to step up and take the blame for you.

  6. Mike 137 Bronze badge

    ' "not confident" that the SaaS [...] they use meet privacy and data protection requirements'

    "more than 50 per cent of respondents say they are "not confident" that the SaaS and PaaS applications they use meet privacy and data protection requirements"

    Over half the respondents? That means (statistically) that nobody gives two hoots about complying with the law - what a surprise!

    In every jurisdiction I have encountered, the principal, not the outsource, is primarily responsible for governance, including compliance with the law. Nevertheless, when consulting I regularly find organisations engaging third party services without adequate investigative diligence or operational oversight. I call this "fire and forget outsourcing", and businesses only get away with it because of lax enforcement and the disparity of power between corporations and anyone raising an objection.

    1. Anonymous Coward
      Anonymous Coward

      Re: ' "not confident" that the SaaS [...] they use meet privacy and data protection requirements'

      "Over half the respondents? That means (statistically) that nobody gives two hoots about complying with the law - what a surprise!"

      Actually it's probably worse than that, they probably believe they comply with the law having outsoured the risk to the cloud provider. That belief is based upon avoiding reading anything other than the marketing blurb of the provider.

      Actually most SAAS providers I've come across since GDPR are in as much of a fantasy world as the customers. One provider of an Occupational Health SAAS continually claimed the system held no PII therefore wasn't subject to GDPR. Then it didn't need MFA on the intrnet, doesn't need seperation between cutomer data, doesn't need to log employee access to client files.

      So abviously we've gone and bought it.

      1. EnviableOne Silver badge

        Re: ' "not confident" that the SaaS [...] they use meet privacy and data protection requirements'

        the problem is that before GDPR this was ok,

        but since it came in both the Provider and the Data Owner are Jointly and Severably liable, so theres a lot of grey area that the Providers can contractually avoid, but the Data Owner will think is covered...

        If the relationship is just Owner and Cloud provider, thats one bit of grey, the issues come when you have a supplier in the middle, so there are then grey areas between all three parties and trying to get the right controlls and right assessements done is a nightmare.

        Hence why our PII is safley locked in our data centre where atleast we know what is our responsibility.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020