IT and Data Privacy – Cloud vs On-Premise – Data Security Issues – Article 4
This is the fourth of six articles that analyse the risk around cloud and on-premises systems. As I stated in the first article, my view is that the caution many people adopt when ‘going cloud’ should be applied as much to on-premises systems to obtain the best risk profile for a business’ information systems.
In this article we analyse data security. The previous articles discussed governance and confidentiality issues, and the following articles will discuss resilience and provide a summary.
This is where cloud services really shine. Ironically this is also the area which is usually of the greatest concern.
The question to ask is whether a business would prefer to delegate the security of their data to a provider with extensive resources dedicated to the maintenance of data security and the detection and resolution of security incidents, or to manage data security themselves, either directly or via an IT provider, neither of whom is likely to be a cybersecurity specialist.
The resources and skills required to detect and protect against security intrusions is way beyond the capabilities of most IT providers. Cybersecurity has evolved to its own discipline and there exist businesses that specialise in cybersecurity management, most of whom are not engaged by local businesses to manage their IT infrastructure.
Detecting an intrusion is itself very difficult. If an intrusion remains undetected, as many are, an intruder could usually remain, or ‘dwell’, in a compromised system for up to six months, or even longer in some cases.
Cloud services encrypt data at rest (when it is stored) and in transit (when it is sent to a computer to use). Cloud providers usually have robust systems in place to ensure the keys used to decrypt data are not easily accessible.
It is true that cloud services provide an easier target for intruders. However, this is offset by the increased security resources dedicated to detecting and mitigating this risk.
On-premises data is almost always not encrypted, particularly on practice management servers and file servers. On-premises backups are also usually not encrypted and may not be stored in a secure location.
An intrusion into an on-premises system carries significant risk of going undetected, and the intruder is likely to have access to unencrypted client information for an extended period of time.
Table 1 Data Security
|Encryption at Rest||Encryption in Transit||Effect of Termination||Change of Control|
|Dropbox||Yes||Yes||Will notify and give opportunity to export data||Will notify and ‘outline your choices’|
|Dropbox Business||Yes||Yes||Provision to export data after termination||Not specified|
|Google Workspace||Yes||Yes||Access to data ceases on termination||Will give notice|
|Yes||Yes||Not specified||Not specified|
In my view, cloud services do data security much better than on-premises services. Although cloud might be an easier target, this risk is more than offset by the much higher level of cybersecurity skills present inside cloud firms (or at least the candidate firms discussed) than what exists in the on-premises context.
Data security is a comprehensive win for cloud in my view.
In the next article we discuss data resilience.
For more information and expert advice, ask to speak to Mark Ferraretto at Ezra Legal on (08) 8231 6100 or email firstname.lastname@example.org
For information and articles on the range of IT and data privacy advice and services that we provide, head to:
- Ezra Legal – Information Technology & Data Privacy
- Ezra Legal – The Risks of Cloud Based Document Delivery Services in Commercial Law and Contractual Performance
- Ezra Legal – Legalisation of virtual meetings and documents executed electronically
Lawyer – IT and Data Privacy