Cloud Storage Offers Data Safe Haven From Harvey’s Deluge

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Cloud data storage offers the promise of a cybersecurity safe haven and business continuity when companies, like those in Harvey’s path, are faced with flooded offices and no power for local servers, cybersecurity professionals and cloud computing company officials told Bloomberg BNA.

Harvey, the once category 4 hurricane, has wreaked havoc on the Houston metropolitan area, the fifth largest in the U.S., and is moving north through Louisiana. Disaster analyst Chuck Watson projected Harvey’s overall damage will cost as much as $75 billion, Bloomberg News reported. Halliburton Co., Phillips 66 Co., and Waste Management Inc. are all based in and have significant operations in Houston, according to Bloomberg data.

The devastation caused by Harvey serves as a stark warning to companies that collect and store customer, employee, and other sensitive personal data. These businesses should seriously consider storing such information in the cloud in the future if they haven’t already, cybersecurity pros said.

Companies “of all sizes” should have a “cloud-based migration plan” in place to maintain data security, “readiness, response, and resiliency,” Peter Tran, general manager and senior director in the Worldwide Advanced Cyber Defense Practice at RSA Security in Boston, told Bloomberg BNA. Having a cloud-based backup plan “removes physical geographic dependencies,” because the data can be safely housed on servers far away from threats, he said.

If a “data center in downtown Houston” fails, or if on-premise data storage is compromised, companies will still be able to reach their sensitive data to get back up and running, James F. Peters, vice president of technology for Quasar Data Center in Houston, told Bloomberg BNA. “Reputable cloud providers” will build their data centers “to sustain these types of disasters,” he said.

harvey
Cloud Security, Availability

Companies may be hesitant to release control of highly-sensitive data to a cloud provider, but many third-party services offer greater cybersecurity and faster response times in the event of a crisis, cybersecurity pros said.

John Suit, chief technology officer at data security solutions company Trivalent in Annapolis, Md., told Bloomberg BNA that larger cloud providers generally offer their services globally and nationally, such as Microsoft Corp.'s Azure and Amazon.com Inc.'s AWS. Data kept by large-scale providers can be moved and accessed across the U.S., away from natural disaster-prone areas, he said.

But even local providers may be up to the task of safeguarding data if they have multiple locations and natural disaster fail-safe plans if a storm strikes.

Peters said that if Quasar’s downtown Houston data center was compromised, they have a backup location in Dallas that could handle their customers’ data. Many cloud providers, regardless of size, have “fail-over systems,” much like Quasar’s Dallas data center, that would show little to no impact to clients who use the service.

As a last resort, cloud providers should also allow companies to access the data in facilities in case of large scale network outages, Peters said. Companies should be able to go to a data center and “physically copy over stored data on a hard drive or other device” for business continuity purposes, he said.

Regulatory Concerns

Some companies considering the cloud as a way to ensure the security of data during a disaster may hesitate because they want to ensure they can control their regulatory obligations. Those concerns can be addressed by exercising due diligence on possible cloud service providers.

Some industries fall under federal and state regulations that may require increased data protection and security protocols for information stored in the cloud. Often, cloud providers will offer separate services for regulated industries to help ease compliance burdens, cybersecurity pros said.

All industry specific “regulations must first be met for data handling” before deciding on a cloud provider, “based on the business’s need,” Suit said. Major cloud providers, such as Amazon Web Service and Microsoft’s Azure, know the needs for most regulated industries and will “work with the business to ensure regulatory compliance, while keeping the data available,” he said.

Companies, especially in the health-care and financial services sectors, must remain cognizant of their obligations when moving data to the cloud, Peters said. For example, the Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard require “various certifications” and enhanced data security standards when data is stored in the cloud, he said.

Before picking a cloud-provider, companies should make sure there is a compliance officer on staff who has knowledge of relevant regulations and laws, Peters said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security