Data Security

IT and Data Privacy – Cloud vs On-Premise – Data Security Issues – Article 4

This is the fourth of six articles that analyse the risk around cloud and on-premises systems.  As I stated in the first article, my view is that the caution many people adopt when ‘going cloud’ should be applied as much to on-premises systems to obtain the best risk profile for a business’ information systems.

In this article we analyse data security.  The previous articles discussed governance and confidentiality issues, and the following articles will discuss resilience and provide a summary.

Data Security

This is where cloud services really shine.  Ironically this is also the area which is usually of the greatest concern.

The question to ask is whether a business would prefer to delegate the security of their data to a provider with extensive resources dedicated to the maintenance of data security and the detection and resolution of security incidents, or to manage data security themselves, either directly or via an IT provider, neither of whom is likely to be a cybersecurity specialist.

The resources and skills required to detect and protect against security intrusions is way beyond the capabilities of most IT providers.  Cybersecurity has evolved to its own discipline and there exist businesses that specialise in cybersecurity management, most of whom are not engaged by local businesses to manage their IT infrastructure.

Detecting an intrusion is itself very difficult.  If an intrusion remains undetected, as many are, an intruder could usually remain, or ‘dwell’, in a compromised system for up to six months, or even longer in some cases.

Cloud services encrypt data at rest (when it is stored) and in transit (when it is sent to a computer to use).  Cloud providers usually have robust systems in place to ensure the keys used to decrypt data are not easily accessible.

It is true that cloud services provide an easier target for intruders.  However, this is offset by the increased security resources dedicated to detecting and mitigating this risk.

On-premises data is almost always not encrypted, particularly on practice management servers and file servers.  On-premises backups are also usually not encrypted and may not be stored in a secure location.

An intrusion into an on-premises system carries significant risk of going undetected, and the intruder is likely to have access to unencrypted client information for an extended period of time.

Table 1 Data Security

  Encryption at Rest Encryption in Transit Effect of Termination Change of Control
Dropbox Yes Yes Will notify and give opportunity to export data Will notify and ‘outline your choices’
Dropbox Business Yes Yes Provision to export data after termination Not specified
Google Workspace Yes Yes Access to data ceases on termination Will give notice
Microsoft 365

 

Yes Yes Not specified Not specified
On Premises

 

No No N/A N/A

Verdict

In my view, cloud services do data security much better than on-premises services.  Although cloud might be an easier target, this risk is more than offset by the much higher level of cybersecurity skills present inside cloud firms (or at least the candidate firms discussed) than what exists in the on-premises context.

Data security is a comprehensive win for cloud in my view.

In the next article we discuss data resilience.

For more information and expert advice, ask to speak to Mark Ferraretto at Ezra Legal on (08) 8231 6100 or email markf@ezralegal.com.au

For information and articles on the range of IT and data privacy advice and services that we provide, head to:

Mark Ferraretto

Lawyer – IT and Data Privacy

Ezra Legal

Mark Ferraretto

Categories: Blog

Leave a Comment

Your email address will not be published.

Scroll to Top