Data Privacy in the Cloud – A Primer
Navigating privacy and regulatory challenges in the age of the cloud
Our increasing reliance on data, coupled with the evolving cyberthreat landscape, has given rise to the need for new regulations and other safeguards for protecting information. In the western world, the overarching trend has been to give consumers greater control over their data, including who collects it, how, and why. These new regulations, such as Europe’s GDPR and California’s CCPA, aim to turn the tide on the surveillance economy by setting new and higher standards for digital privacy.
What are the key privacy concerns of cloud computing?
The business benefits of cloud computing cannot be denied. This new and readily accessible distributed computing environment has given companies of all sizes and across all industries the opportunity to seamlessly scale their operations. Today, around half of all business data is stored in the cloud, as companies migrate their computing workloads away from traditional on-premises data centers. However, the convenience also comes at the cost of losing control, at least over the underlying hardware.
- Data leaks
Accessibility anywhere is one of the most important benefits of cloud computing. Employees can typically connect to cloud-hosted apps and data using any device via any network. These devices and networks might not always be secure, thus significantly increasing the likelihood of a data leak. For example, connecting to the internet via an unsecured public WiFi network can leave any unencrypted data exposed to network eavesdroppers.
- Data visibility
Data protection officers and other cybersecurity experts cannot protect what they do not know. Today’s primarily cloud-based enterprise computing environments are becoming so large and so complex that they risk becoming ungovernable. Still, every app and device which collects potentially sensitive information, such as that which falls under the rules of GDRP or CCPA, needs to guarantee privacy by design.
- Data sovereignty
Some privacy regulations include rules on where organizations can physically store data. The GDPR, for example, requires that all data belonging or pertaining to citizens of the EU is stored in the EU or within a jurisdiction which offers similar levels of protection. The US, however, is not considered one of those jurisdictions as far as the EU is concerned. This presents a unique challenge to US companies which do business with citizens of the EU.
- Subject access requests (SARs)
Both GDPR and CCPA regulations require disclosure of certain information in response to a subject access request (SAR). Citizens in regions covered by these regulations can request a complete copy of any data pertaining to them, including the purposes of its collection and the sources it was collected from. They can also request its deletion. In the age of the cloud, where data often exists over numerous disparate systems, it can be extremely hard to accommodate these requests within the legally mandated 30-day deadline.
How to manage privacy and compliance in the cloud
It is easy to view regulatory compliance as a burden or a necessary evil. This is why managing privacy and compliance challenges requires an organization-wide culture change. Instead of viewing compliance as a mere necessity, business leaders should approach it as something that adds value throughout the organization. Compliance can help build trust, future-proof the business, and firmly establish a positive reputation – all things which are extremely important in today’s customer-centric economy.
- Centralized management
Today’s enterprises need to manage data at increasingly massive scale, spread across a mix of on-premises servers, portable devices, cloud data lakes, and off-site data centers. Add IoT into that mix, and the amount and diversity of data collected soon becomes even greater. The first step to ensuring privacy and compliance is to understand where regulated data lives and which controls and policies are in place to protect it. This requires centralized administration.
- User access controls
One of the key benefits of cloud computing is its accessibility, which is also one of its biggest challenges. Identity and access management (IAM) is one of the guiding principles of security and privacy in the cloud. Many businesses follow the principle of least privilege, whereby an employee or third party only has access to the systems and data they need to do their job and nothing more. Access to sensitive data should also be protected by multifactor authentication.
- Service level agreements
Large enterprises often have supply chains comprising thousands of vendors, many of which need to have access to certain proprietary data to provide their services reliably. Unfortunately, many data leaks and breaches occur somewhere along the supply chain, but this does not shift the responsibility to ensure compliance from the enterprise. Any service level agreement (SLA) must clearly stipulate adherence to any necessary regulatory regimes.
- Data encryption
Perhaps the most important rule of information security is to encrypt everything. In most cases, the impact on performance and bandwidth is minimal, but the cybersecurity benefit is huge. Encrypting data at rest and in transit, no matter where it exists or which networks it traverses, will ensure it is useless to an attacker in the event of a breach. Encryption is especially crucial now that employees routinely work from home using unfamiliar networks and devices.
- Availability zones
Public cloud providers like Amazon AWS, Microsoft Azure, and Google Cloud provide multiple regions and availability zones to help organizations comply with data sovereignty rules. Data which is potentially sensitive, especially that which falls under legal regulations, must normally be stored within its country of origin. If an organization must, for whatever reason, take data from one region to another, they may need to do so under the protection of a privacy shield.
Becoming a Certified Cloud Security Professional
One of the core tenets of GDPR and CCPA is privacy by design and default. These regulations are based on the understanding the privacy is a fundamental human right, and any party that collects, stores, or uses personally identifiable information must do so in accordance with the law. That makes compliance almost everyone’s responsibility, which is why business leaders need to implement the right training programs when onboarding new hires, as well as reskilling existing ones. For cloud privacy leaders and decision-makers, we recommend starting with the Certified Cloud Security Professional course.
Cybrary provides customizable training programs across a wide range of cloud computing and cybersecurity disciplines to help enterprises reduce risk. Schedule a demo today!