Data and AI platforms in the cloud: security and data protection are not negotiable
But do not give in to the technological euphoria and the siren song of cloud operators without thinking twice. When switching data storage outside the enterprise, there are some points to consider with the utmost seriousness.
In a virtualized world, the geographic location of data is important
First of all, if the data stored is a bit sensitive, we must ensure that the data center that hosts them is well located in Europe, or even in France. This seems obvious for personal data since the entry into force of the GDPR , but this must also be required for all other types of data to ensure good protection.
RGPD vs. Cloud Act, the Diplomatic Battle of the Regulations
In regulatory matters, we are currently witnessing an unprecedented geostrategic weapons pass. While Europe is swimming in a bath of protective happiness with the RGPD, now the US decides to go into force the adoption of a controversial text called Cloud Act (for Clarifying Lawful Overseas Use of Data). Like a snub to Europe, the American text is promulgated March 23, 2018, two months almost day to day before the entry into force of the RGPD, and puts into question the sacrosanct principle of sovereignty of data.
Specifically, this text allows US law enforcement to access data stored on the servers of US service providers, regardless of the country in which they are located. In other words, the US police could (under mandate or assignment all the same, and therefore in the context of a rigorous legal procedure) access data stored in the cloud of Microsoft, Amazon, Google, Oracle or IBM without worrying about compliance with local regulations and without notifying the people concerned. This creates an unprecedented diplomatic situation for which international discussions seem deadlocked.
This topic should also be considered when choosing the cloud provider that will host your data. If your organization has a strong strategic sensitivity (as is the case for public players or highly regulated sectors such as banking or insurance), you could choose to refer you to a French cloud provider ( such as OVH or Orange ). But let’s hope that international trade resumes and an agreement is reached between the United States and Europe. In any case, a risk assessment and legal advice can be useful when contracting with a foreign cloud operator.
Reversibility and Cloud Security: Trust does not exclude caution
If you’re thinking of building your Data and AI architecture in the cloud, the first thing you need to do is get out! This may seem surprising but the subject of reversibility should be considered from the start. In addition to predicting what should be done as a last resort in the event of a problem or dissatisfaction with the cloud service, the study of reversibility will make it possible to ask all the right questions and, ultimately, to better control the environment. and cloud solutions. This reversibility study is all the more important for Data and IA projects as it relates to elements that are at the heart of the organization’s operations and that must therefore be kept absolutely under control.
Another essential point to consider: do not mess with data security (never!). This subject must be studied as such when deploying its data platform (whether in the cloud, or not, for that matter). The most sensitive data (which suggests that the data heritage must first be mapped and classified …) must be at least quantified. The most cautious organizations will be able to implement hybrid architectures, either to distribute the data across different clouds, or to distribute the data between the cloud and the local storage in the data centers of the company:
But the security fears related to data storage in the cloud are, in my opinion, only cultural and should disappear in the coming years. Just as there was a time when people were convinced that their money is safer under their mattress than anywhere else. In reality, money will always be safer in the safe of a bank even if it stores a lot of money (and therefore certainly fuels even more covetousness). It’s the same for data security. Cloud actors deploy enormous resources to provide the highest level of security. Means that traditional businesses will usually not be able to implement alone.
Bank: last bastion of data in the cloud?
Before concluding, I propose a zoom on a sector that is well known at Business & Decision , that of the Bank. This sector is particular because it manipulates a lot of data, it is even the base of the trade. In addition, banks carefully monitor technological developments (it is also on this ground that the fintech attack traditional banks ) and have, to do this, armadas of computer scientists in their ranks.
The cloud (and in particular the SI Data and the AI projects) poses a real dilemma for the sector which multiplies the studies without however positioning itself frankly in its favor for the moment. Several attempts have been made, such as those of Société Générale or Crédit Agricole, but the sector remains generally timid on these new architectures for large-scale projects.
A highly regulated sector
It must be said that banks are highly regulated and that several key texts have been published on the subject. I propose you to retain two:
• Risks associated with Cloud Computing by the ACPR (Prudential Control and Resolution Authority) , July 2013
• Recommendations on the use of the Cloud by the EBA (European Banking Authority) , December 2017
In the latter text, the EBA provides a list of things to consider when deploying cloud banking solutions, including:
• Auditability of systems
• Maintained a registry detailing the data stored in the cloud
• Supervisor information about data stored in the cloud
• Locating data in the country where they were collected
• Data security
• Recovery and transfer of data possible at any time and in case of failure of the cloud provider
This text, which came into effect on July 1, 2018, lays the foundations for the precautions to be taken for Data and AI projects in the cloud by adding new conditions compared to those in force in all other sectors (especially with the RGPD).
Platform Data and IA: Cloud or not Cloud?
In conclusion, it appears that the benefits of the cloud are undeniable for Data platforms and that the intrinsic qualities of the cloud are invaluable for AI projects. In addition, the idea that the cloud can be less secure than traditional infrastructure is simply cultural.
However, care should be taken when switching your Data and AI platform to a cloud service:
- Locate the data in Europe (or even in France) according to the level of sensitivity
- Study regulatory, legal and contractual impacts with the utmost seriousness
- Predict reversibility from the start of the project
- Provide the utmost vigilance to the security of stored and moving data
With that, you have the right recipe for building a durable, robust Data Architecture that can accommodate all of your organization’s AI initiatives.