Compliance in the cloud

More companies are turning to cloud computing to reduce expenses, but putting company data in the cloud comes with increase risk. Rena Mears, global and U.S. privacy and data protection leader at Deloitte, discusses how cloud computing is transforming data classification and security.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact   

Compliance in the cloud

Rob Westervelt: Hello. I am Rob Westervelt, the News Editor of, and today we are going to be talking about
data management in the cloud with Rena Mears. Rena is a partner
in security and privacy services at Deloitte. Thank you for joining us,

Rena Mears: Thank you for inviting me.

Rob Westervelt: Rena, you have done a lot of work around data
classification. How does Cloud computing throw a wrinkle into the
data classification projects?

Rena Mears: For one thing, it makes people think. When you were
originally talking about data classification, usually a company is
looking just at themselves, and the immediate use of it, so often
times the consequences or the granularity with which they have
to think about the consequences is different. When you move to
a could-based computing, and when I say cloud in this case, I am
talking about outsource Cloud computing, part of the interesting
conversation that's going on here at RSA, or anywhere when you
are talking about Cloud, you have to be very careful that you are
using the term in the same way that the person you are talking to
is. When I am talking about outsource cloud computing, you are
not just putting data internally, you are actually taking the placement
of that data, not just the application, not just the infrastructure, but
actually the data, the asset, and putting it in the hands of a third
party, which happens all the time in outsourcing. Then you are
looking at it in a model that basically is saying to you, 'We are going
to use resources to maximize the return on those resources,' so that
data can be anywhere. It can be in a virtual environment, we are
talking about virtualization in that case, it can be housed with other
data from other entities. You really have to start thinking about how
much risk you want to take, so that can actually lead to considerations
around classification. If you would normally classify based on your
direct relationship with other parties around use, you may want to add
some considerations, and the classification may need to be more fine-grained.
You may end up with a different profile for a specific class, or you in fact,
may end up with more classes. It is not just cloud computing that causes
that kind of rethink. Periodically, companies need to look at their classification
system, their data, their business processes, and the environment in which
they are using all those assets, and say, 'Does my classification framework
still fit?' If they feel like something has changed and in this world, something
always changes, they need to revisit it. I think that is where we are today.

Rob Westervelt: Are there best practices for companies that are going to
be moving toward a Cloud computing model?

Rena Mears: I think there is a lot of good thinking out there. I would say
we are in a negotiation process or a robust dialogue. I do believe certain
areas have better maturity than others, for instance, security in the
traditional infrastructure sense, has a lot of well known standards and has
had a lot of thought to it over the years. You start adding that to new business
models and you have to again, reassess. I think you are going to see those
reassessed in some ways, advanced, or expanded. On the privacy and the
data use side, on the intellectual property protection side, I think the
conversation is still underway, it is not clear to me that we have a complete
set of standards out there that apply universally and globally. I think most
attorneys, especially on the intellectual or privacy side, would agree. When
you look at the European model and you look at the difference between that
and the US model, and then you look at Asia, you realize that you are
dealing in global environments, you are dealing with different expectations,
different legal requirements, and we have not completely put together
the fine-grained requirements that you would expect to see in a mature
technology situation, or mature marketplace. Are there practices out
there that exist that you can reference? Yes. Is the dialogue still going
on? Very much, yes, and I think we are going to continue to see again,
evolution, in that respect. I am not say that there is not enough out there
to make a good case for what your expectations are as a buyer and
consumer of services, and what you as a provider of services, there
is enough there for you to start to make a good conversation and
agreement between the two of you.

Rob Westervelt: What does one do, then? Where does one begin if
they are going to be choosing a service provider, for example?

Rena Mears: You start with a dialogue. I was on a panel this morning
talking about the idea that traditionally, when you used outsourced third
parties, it went to your procurement department and your contracts
department, and had a contract 50 pages long. The interesting thing
about a lot of the technology we see now, not just cloud computing,
but a lot of the technology is that there is very helpful technology that
folks are used to using, either in the university setting or as they have
come up in different jobs or careers, that are actually supportive of
interactive work. Very often they continue to use those products and
services because they are available online in their current workplace,
but they may involve just click-through agreements. Suddenly, you
have an enterprise where data may be shared in a Cloud environment or
on an internet based space, and it is being addressed through click-through
agreements, that is not the same as corporate procurement. Understanding
how you are actually sharing data in this environment, how your workforce
is sharing data in this environment, and understanding what the requirements
are that you feel are necessary, and talking about those, both with your
employees and with your providers becomes very important. I would say
the first thing is conversation and dialogue. The second thing is determining
that you, as a buyer, believe your requirements are and communicating
those clearly, then enshrining them in the corporate agreements that you
put in place.

Rob Westervelt: Let us talk about compliance issues when companies
move toward cloud computing. What are some issues that companies
have to deal with, in terms of compliance?

Rena Mears: We just did a survey, did a third Deloitte Poneman Enterprise
at Risk Survey, it is the 2009. It is not out, available yet in public, but we
are previewing it at the RSA, the findings from that, and a couple of things
we found, because we were asking about those issues, what does a
company do, how many people are actually already in the Cloud? 48%
were already in a Cloud, 22% were moving in that direction, so you are
talking about a large majority of people already moving there. The second
thing we asked, 'What are you concerned about?' Intellectual property
protection, the ability to meet regulatory and contractual obligations was a
huge issue; another issue they were very much concerned about was being
able to determine compliance. How could they actually go, themselves,
and get assurance that the entity was complying? That became another
large issue. They understood that they had risk associated with this
model, they understood that what they needed to put out there, this was
very interesting; the kind of things they were using it for, email. They were
using it for financial applications, so they were putting data in the cloud that
was obviously very important to them, and how were they dealing with
those risks and concerns? They were putting it in the contractual
requirements, but again, worried about being able to gain assurance. I
think at the end of the day, we got a disconnect going on here, between
how a company approaches, what they are putting out there, how much
they understand the risk is, and what they are putting in place to remediate
and assure themselves of those kinds of requirements are being met in that

Rob Westervelt: Rena, are there benefits to managing data in the cloud and
is it just monetary?

Rena Mears: A major one is monetary. I have had clients tell me they can
go from $500 a desktop to $5 a desktop.

Rob Westervelt: Wow.

Rena Mears: When you have that kind of conversation going on, all
other questions become almost secondary. In this environment, in a
downturn economy, we are watching drivers towards anything that
will help reduce cost associated with data. The other thing is that there
is liability associated with data. When you are trying to mitigate the
liability or the risk associated with the data, you are talking about having
to acquire very, very specific skill sets. You asked about compliance;
how hard it is to maintain compliance in third party. You have to assume
that you got skill sets and they got skill sets. We know what it takes to
maintain skill sets and acquire the skill sets necessary to keep those
standards in place. If you can share that cost with another party, that
actually can be a benefit, so the argument about how Cloud can actually
improve security is that you are taking what a very scarce resource is and
you are concentrating them in a single place. This is scale; this is the old
economic scale issue. If I put it in a place where I can concentrate the
resources to be secure, then provide the level of security, maximizing
those skilled resources, I have gained, rather than trying to cobble them
together in a company that that is not their first focus, they area widget
company, or they are a technology company, but they are focused on product,
they are not a security company. You take a Cloud provider and you make
security a major part of their service offering, and suddenly, you have focused
very highly skilled people who ordinarily would represent a high cost, and you
have focused them in a single area. That can be a very powerful incentive to
move to the Cloud.

Rob Westervelt: I have talked to experts that said that researchers will find
better security solutions for managing data in the Cloud. Are you just as
optimistic as they are?

Rena Mears: I am always optimistic that technology will move in a direction
that the market demands. That is not being Pollyanna, that is taking a look
at the last 25 years. If you have followed security for 20 years, we certainly
have advanced. I think there is something to be said though, for a change in
focus around how we approach security. Data, we call ourselves the global
information age, and I think I had probably said this to you the last time we
talked, but we are ignoring the one thing that speaks to an asset in that
sentence, which is data. I am actually interested in some of the things I
am hearing at RSA about moving security and the focus of security just
from the infrastructure to the data itself, to the asset itself. Some of the
advances we are starting to hear are discussed in encryption, focusing
again, on the data itself, carrying its own security with it, freeing ourselves
up from the massive focus on external perimeter defense and depth. I am
not arguing with that approach, I think it is valid and obviously, has been
proven to be valid many times over the years, but as we move in a global
information economy with the asset moving around, this is not a problem
that is just the CIO's, or the CISO's, or the Cloud computing provider. This
starts at the C-Suite, what is the asset I am trying to protect? What is the
asset I want to use? How much of it do I have? How am I using it? Where am
I putting it? That is a strategic decision, it is a business decision, and it
starts at the top, then we move all the way through. Am I confident that
technologists will come up with answers? Yes, I am confident. Am I confident
in any specific solution that we will end up in nirvana? No, but I think together,
if we start looking at this as an asset management situation, an asset
management opportunity, I think the answer is clearly yes. All that together
will provide a marketplace we can all work in.

Rob Westervelt: Let us talk about data owners. Who actually owns the
data in the Cloud? Do the data owners within an organization actually

Rena Mears: Yes, absolutely, but not necessarily because of the movement
into the Cloud. In fact, to assume that there is a single owner of data is probably
to make everything too simple. If I am his end user, if I am a data subject, so to
speak, if I am the data subject, I probably believe that I have rights, and if I sit
in the EU, I know I have rights to my own data. In the United States, it is more
open for conversation. If I am a company that is acquiring data, absolutely I have
not only rights, but obligations. I do not lose those obligations or those rights just
because I move it to a cloud provider or any other third party. I am now essentially
in front of the cloud provider or the cloud service provider; I do not get to walk
away from my obligations. The data owner, even within the enterprise, may
change, so as data moves from one department to another, or data is attached
to different pieces of data, you end up with different data owners, even within
the enterprise. That in and of itself complicates the situation because you start
to wonder who is responsible for the data? Who is responsible for managing it
and securing it. When you add the third party and the cloud computing aspect to
it, again the contractual agreement, the service provider, what obligations get
transferred to the provider, and who is obligated at the end of the day, should
something go wrong? Very often the company that is outsourced to a third party
believes that somehow they have off loaded some of that liability, and the answer
is, usually not. Usually, it becomes a chain of semi-ownership, semi-rights, and
semi-obligations, if you will; a better word is probably shared. Yes, the ownership
and the obligations change.

Rob Westervelt: Rena, when I talked to you last year about data classification, you
said that companies are starting to get a better handle on their data. Has the
economy played into this in any way? How has the economy affected this?

Rena Mears: A couple of different ways. Obviously, there has been a loss of jobs,
both on the privacy side and on the security side. You are just seeing a downturn,
when you see lay-offs, you see it hit both the IT groups and the offices of general
counsel, and so whenever you lose expertise, you know you are losing something.
The answer is to do more with less, but rarely can we do more with less. There is a
tendency to have a lag, and there is more risk to the situation, and we have seen
folks struggling to meet the requirements that they have, and I expect they will
continue to struggle. The survey that we do definitely shows there has been a loss,
particularly at senior levels, on the privacy side, not so much on the security side,
but we do see it. When you lose those scarce resources, then you have impact. The
other aspect is it does cause companies to look more towards outsourcing,
modulization of both IT and security. This is where you have to stand back and say,
'How much effort are you putting in to figuring out these questions?' You keep saying
to the IT department, 'It is your responsibility to protect data,' with the assumption that
they know where the data is, who is using it, who it is being shared with, and they
manage the lifecycle. That is not the case; business owners do those kinds of things.
As you start to look towards solution sets in a downturn market, you see things lagging;
companies are still struggling to figure out where their data is. Although we see more
companies doing data inventory, it is very slow. If they do not know where their data is,
you cannot expect the IT department to be able to protect it, necessarily. Watching the
kind of impact of a downturn economy, you are just seeing a lag, but you are seeing
movement I think, to modulization, to the kinds of things like service providers,
software-as-a-service, outsourcing, third parties Cloud computing solutions,
depending on how those service providers respond to the market requirements,
privacy law, breach notification, and PCI compliance. As they move to understand
how important those things are to their business model, you may actually see a lift,
which was what you were referring to before, around that concentration of resources
in a place where you could provide better security, or more security. There may be a
little bit of a trade off here, but it is never good to have a downturn for these kinds of
things, it is just not.

Rob Westervelt: Rena, thank you very much.

Rena Mears: Thank you for having me again.

Rob Westervelt: Thank you for joining us. For more
information on this topic, you can go to

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.