Security not included: Why enterprises must own their own cloud data protection

The pursuit of immediate ROI through AI digital transformation has pushed many enterprises toward stitched-together cloud solutions. In the rush to find efficiencies, many leaders operate under a dangerous assumption: that their cloud provider is a security blanket. But not all providers are created equal.

This belief is the modern extension of a decades-long trend of outsourcing what was once on-prem, and has created a critical and often misunderstood gap in security. We spoke with Laxmi Ramanath, the founder and CEO of risk and compliance software company La Meer Inc. With a career forged building high-stakes systems for financial giants like Citibank and the Bombay Stock Exchange, Ramanath has a clear-eyed view of where the true responsibility for enterprise risk lies.

• On your own: "From a data privacy perspective, major cloud providers offer privacy, but you are often on your own to implement it throughout every stage of implementation," Ramanath says. "When you start creating solutions on top of these platforms, it's still up to you to layer all your security and data privacy over it."

Ramanath says reality touches everything from core infrastructure to AI-powered chatbots handling customer service. "There are multiple aspects of data privacy, data security, data in case of a failure, and protecting business continuity. All of these aspects have to be very much thought through in any system you build on the cloud. These measures are especially important on the cloud because the vulnerabilities are higher when it's a common resource."

• A regulatory maze: The challenge is amplified by a global regulatory landscape that has rendered old architectural models obsolete. The days of a single, centralized system are over, creating a direct conflict between legacy tech and modern law. "There used to be one unified system for the whole bank where all client data would be in one place," Ramanath explains. "Now you have this challenge where regulations say it cannot be in one system; individuals who are customers need to have their data in their local jurisdiction only. Otherwise, you're in violation."

To navigate this, she suggests practical tactics like creating a "data vault" to hold sensitive information locally, addressing the rules without a complete architectural overhaul. The external pressure is matched by staggering internal complexity. This isn't a small project, as a single bank can have "about 200 plus different systems" for everything from CRM to wire transfers. Managing compliance across this sprawling, often outsourced ecosystem requires a new level of operational discipline.

That discipline must be baked into every process, from managing software updates to training staff on their "need to know." Without it, the consequences are severe.

• Reading the docs: "You don't want to lack the documentation, because the next set of people who face the music need to know how to answer those questions when the regulators come to the door," Ramanath warns. Ultimately, it isn't just about protecting corporate data; it’s about safeguarding the sensitive information of customers and employees. A breach on the cloud carries a tangible and human cost.

After outlining the immense and multifaceted risk, Ramanath offers a crucial perspective: the entire industry is just getting started. "If you end up having a compromise on the cloud, then you are vulnerable," Ramanath says. "You're vulnerable to have lost those PIIs that could be misused for whatever reason, whatever purpose."

"I think we are still in the beginning of the curve in terms of organizing ourselves. And so I think there is a long way to go in terms of putting this on the agenda on the senior management," says Ramanath. This early stage is often hampered by the significant cost of such large-scale initiatives and the need for senior leadership to champion the change. The ultimate path forward requires abandoning the "checkbox" mentality and embracing a proactive philosophy of "data by design." It means treating enterprise risk as a fundamental, evolving business discipline that requires thought and leadership from the top down to implement correctly.