We can store and process our data well in them and generally derive value from them. Cloud providers are keen to highlight the economies of scale and boast about the security of their Cloud; who else has as much expertise and capacity as they do to safeguard your data? And yet, something is fundamentally wrong, something that should be fairly easy to fix if the will is there. Listen to the customer.

Secure by default Cloud
On Tuesday, October 1st, during the ONE Conference on the stage of the World Forum in The Hague, attention was given to the Secure-by-default Cloud initiative. The FD (article in Dutch) also reported on this. Initiators Lokke Moerel (Professor of Global ICT Law at Tilburg University, senior counsel at Morrison & Foerster, and member of the Dutch Cyber Security Council) and Freddy Dezeure (former Head of CERT-EU, among others) explained how they have been in talks for several months to get Cloud providers to deliver their services securely from the start. Now you might think, they should be doing that already. They use security as a selling point, and a lot of reputation is at stake, but it turns out not to be that simple.

Who is responsible
Cloud services are quite complex technologies, encompassing infrastructure, computing power, and storage, along with various software layers. And a lot of data is processed on them. Partly managed and configured by the provider, and partly the responsibility lies with the user. And that’s where the problem lies. In the configuration of the security aspects for which the user is responsible.

When a Cloud service is delivered, generally, just like with on-premise software, most functionalities are enabled, and security settings are off or low. Documentation is provided to enable the user to configure the appropriate levels of security. This ‘user manual’ usually spans dozens or even hundreds of pages of explanations on settings and how the software should be adapted to the customer’s needs. Doing this well requires time, expertise, and perseverance. Or costs to hire consultants to set up the configuration. Moreover, this exercise will have to be repeated every time an adjustment in functionality is desired. Keeping an eye on the security of the data in the system and the system itself is thus a complex task, which often leads to mistakes and errors.

Moerel and Dezeure have therefore taken the initiative to change this in one fell swoop: Cloud baseline security by default. If Cloud providers were to lock down their services completely by default and then help the customer open only the functionality they need, it would save a lot of mistakes and risks. The customer still has to take their own responsibility. But the risk is smaller because fewer services are ‘open’ that are not needed. Simple intervention, big effect. That is why various companies, organizations, and associations such as CIO Platform Nederland and Beltug support this initiative.

Control over your data
However, this does not seem to be easily embraced by Cloud providers. They claim that customers do not want it. They want to be able to use all the features easily and not feel restricted in their innovation. That may be true when you talk to some users, but the argument does not hold. If you compare data to money, it would certainly be much easier for the same category of users if the CFO just left the vault open or put the company credit card on the counter so that everyone can invest in new projects without too much hindrance. But that is not how it works in practice. You want to maintain control over your finances. The same should apply to your organization’s data. You also want to handle that carefully and ensure that only those who are authorized and know the rules can access it.

It also exposes a broader problem in the relationship between digital application providers and business users. Suppliers often indicate that new functionalities are developed ‘because customers indicate they want it’. The question then becomes, which customers exactly were these conversations held with and what is the context of that need? Is it the ‘customer’ who advocates for the open vault, or the CFO who is responsible for financial governance? And if there are customers with a specific wish, does that mean that the new ‘desired’ functionality should be built in for every customer and can be turned on or off with ‘sliders’? Preferably not, I would say, at least not for functionality that can significantly affect security and privacy.