Data Privacy in the Cloud: Critical Business Issue
By Steve Durbin
Cloud-based systems come with inherent challenges, and these are complicated as information that's subject to privacy regulations—known as personally identifiable information (PII)—inevitably moves into the cloud. In fact, Gartner predicts that more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud by the end of 2016.
PII is subject to regulatory obligations that don’t apply to other types of information. Obvious examples include names and addresses, social security numbers, medical records, bank account details, photos, videos and even information about what a person likes, his or her opinions, and where that person works—basically, any information that makes the person identifiable.
Keep in mind that the information does not have to include a name to be PII. For example, in some cases, a date of birth combined with a ZIP code may be enough to identify someone.
Organizations need to know whether the information they are holding about an individual is PII and consequently needs protection. Protecting PII is the responsibility of the data controller, typically the organization that purchases the cloud-based system. Because protecting PII in the cloud depends on the right combination of controls and safeguards supplied by the purchasing organization and the cloud provider, the responsibilities of each party need to be clearly defined.
Many types of cloud-based services and options are available, and each combination offers a different range of benefits and risks. Privacy obligations don't change when using cloud services; therefore, the choice of cloud type and cloud service requires detailed consideration before being used for PII.
Every cloud-based system is a combination of a particular cloud service deployed on a specific cloud type. There are three kinds of cloud services—infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS)—and each has different inherent risks, as does each cloud type (private, community or public).
The cloud service purchased defines the extent to which the cloud provider is responsible for managing the infrastructure, and consequently the extent to which the provider can see your organization’s information. Clearly, a private cloud is the safest option, but it has implicit costs that may exceed the organization’s budget or resource capability, and therefore may not be the best business-based choice.
A public cloud—in which data is stored by a third party—means that the organization is outsourcing the management and security of its data. In a community cloud, organizations within a certain community share the infrastructure and its costs.
Each cloud service and each cloud type provides a different level of control to the purchasing organization. Therefore, a different degree of inherent risk exists in each of the nine categories of cloud-based systems.
Buy Your Own Cloud: Who’ll Manage the Risk?
Cloud-based systems are easier to procure than traditional IT systems: They can be commissioned by almost anyone with budget authority. However, this increases the likelihood and frequency of cloud-based systems going into production in an organization.
The ease of procurement also increases the probability that cloud-based systems will be managed and used by people who are unaware of the regulatory obligations, so they may not assess or manage that risk. The result is an increase in unsafe cloud-based systems.
Existing Safeguards: Safe Enough?
Even organizations in which the awareness of risks is high may be taking on unacceptable risk if their cloud procurement process or information security policy hasn’t been updated to deal with data privacy in the cloud. A number of inherent aspects of cloud-based systems tend to increase privacy risk.
For example, an organization’s PII can be comingled with that of other organizations and backed up together. This can make it difficult or impossible for a cloud provider to delete one organization’s information upon contract termination. If the cloud contract doesn’t have clauses that survive termination, there may no longer be any contractual requirement for the cloud provider to safeguard the information.
Data Privacy and Cloud Confusion
Data privacy is often considered a specialist subject, involving legal concepts and definitions. Cloud-based systems, services and types are also complex, and the combination creates a challenge for people who are just looking for ways to get their job done and advance the organization’s objectives.
If the legal specialists don’t understand the technicalities of the cloud, and the technical people don’t understand the regulations, who do the business units call for advice? Some will simply accept the risk and focus on their core business objectives.
Because privacy obligations do not change when using cloud services, the choice of cloud
An Opportunity for Collaboration
The movement of PII into the cloud also provides a great opportunity for the information security department to work closely with business units to enable agility while still maintaining compliance. Cloud-based systems aren’t as complicated as many people think, and understanding the basics helps make complying with privacy requirements easier. Organizational pressure to take advantage of cloud-based systems should be matched by equal enthusiasm to understand and manage the risk.
The Information Security Forum has developed a security model to help organizations address data privacy in the cloud and to give them a basis for identifying the key aspects of an information security program. The ISF provides insights, best practice standards and tools that address each aspect of the model to aid organizations in enhancing their information security environment.
Steve Durbin is global vice president of the Information Security Forum, a not-for profit organization that provides guidance on all aspects of information security. https://www.securityforum.org/