Navigating the cloud: Ensuring secure data management with minimal risk

Blogs and Articles

In this webinar recap, we explore the considerations and strategies essential for secure and compliant cloud management throughout the lifecycle of your data and the full relationship with your provider.

Sue Trombley
Sue Trombley
December 8, 20237 mins
navigating the cloud

In the last webinar of our 2023 Education Series, Where, exactly, is your cloud?, we were joined by Julia Bonder-Le Berre, Head of Global Privacy, and Steve Lester, Senior Corporate Counsel for Iron Mountain, to shed light on how information in the cloud can be managed with as little risk as possible and in a compliant and accessible manner.

The use of cloud services has experienced a notable surge, particularly since 2020. The transition to a more remote workforce prompted a swift acceleration in cloud adoption, with its benefits ranging from increased capacity and functionality to scalability, enhanced productivity, reduced maintenance, and potential cost savings.

Balancing benefits and risks

At its core, the cloud consists of servers distributed across data centers worldwide. Because the cloud relies on physical infrastructure that could be located anywhere, data residency requirements can significantly impact decisions about where to host data. As a result, the use of cloud services necessitates careful alignment with information and data governance programs, complemented by robust security and privacy policies. This prompts questions about data privacy, security breaches, and related issues for information and data governance professionals. It demands meticulous consideration to safeguard personal and proprietary data, whether within or outside organizational boundaries.

Research conducted by Economist Impact, sponsored by Iron Mountain, surveyed over 600 executives globally, revealing a heightened awareness of risk, with 95% stating they are more attuned to risk considerations than ever before. Outsourcing data to reputable cloud providers comes with inherent risks, but choosing the right provider should ultimately reduce these risks.

The responsibility of organizations to ensure their chosen suppliers align with privacy, data governance, and security principles becomes a crucial starting point. The process involves careful assessment of a vendor’s policies, followed by the creation of comprehensive data processing agreements that outline roles and responsibilities.

“It is the responsibility of the enterprise to make sure the supplier complies with its privacy, data governance, and security principles before selecting or onboarding a vendor. This should then be further transposed into a data processing agreement that details the relevant roles and responsibilities of each party.”
Julia Bonder-Le BerreHead of Global Privacy, Iron Mountain

Organizations must have clear policies for cloud usage, emphasizing the need for acceptable use guidelines. Decision-making around acceptable cloud use is a cross-functional effort. Involving stakeholders from security, privacy, legal, procurement, IT, and operational governance ensures a comprehensive evaluation of risks and controls, and informed decisions on moving enterprise data to the cloud.

Choosing the right partner: The three Cs to protecting privacy

When selecting a cloud services provider ensure there’s a shared commitment to respecting and protecting personal data throughout its lifecycle. The “three Cs” approach—Commitment, Controls, and Contract—is a framework for forming a trusting relationship with your cloud vendor:

  • Commitment: This includes assessing the vendor’s dedication to data privacy, the presence of a data privacy officer, and the alignment of values regarding the ethical use of data.
  • Controls: This is pivotal in preventing data breaches. Engaging information security teams to scrutinize the vendor’s policies, procedures, and data governance measures ensures a comprehensive evaluation of their commitment to data protection.
  • Contract: This solidifies the relationship. The negotiation is where the alignment of values, commitment, and controls is translated into a legally enforceable contract. The role of information and data governance professionals doesn’t conclude with the formation of a contract and the initiation of the business relationship. Ongoing policing is necessary, especially as the vendor takes a more active role in data management.

Safely closing out a cloud vendor relationship

To minimize risks before a vendor relationship ends, it’s important to have a clear exit strategy built into the initial contract. This strategy should encompass the retrieval of data and the termination of services while mitigating potential disruptions. Information and data governance professionals should exercise their expertise at the end of the service, ensuring that the controls and processes remain as rigorous as they were at the beginning of the relationship.

“Your role does not end as soon as the contract is formed and the business relationship begins with the service provider. Having a well-defined and regularly updated exit strategy becomes instrumental in safely navigating the conclusion of cloud-based relationships.”
Steve LesterSenior Corporate Counsel, Iron Mountain

While some scenarios may unfold amicably with the natural termination of a contract or service, others may present challenges, such as a service provider acquisition or, worst-case, disputes leading to data hostage situations. In this case, it’s important to involve legal teams promptly, even before a lawsuit arises, to navigate potential pitfalls and safeguard data integrity.

As cloud relationships evolve, information management, data governance, and risk mitigation must remain at the forefront of your organizational strategies, ensuring a resilient and secure future.

Interested in learning more about this topic? Visit our Iron Mountain Education Series to watch the full webinar, and register for upcoming webinars.