By Steve Durbin
Cloud-based systems come with inherent challenges, and these are complicated as information that’s subject to privacy regulations—known as personally identifiable information (PII)—inevitably moves into the cloud. In fact, Gartner predicts that more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud by the end of 2016.
PII is subject to regulatory obligations that don’t apply to other types of information. Obvious examples include names and addresses, social security numbers, medical records, bank account details, photos, videos and even information about what a person likes, his or her opinions, and where that person works—basically, any information that makes the person identifiable.
Keep in mind that the information does not have to include a name to be PII. For example, in some cases, a date of birth combined with a ZIP code may be enough to identify someone.
Organizations need to know whether the information they are holding about an individual is PII and consequently needs protection. Protecting PII is the responsibility of the data controller, typically the organization that purchases the cloud-based system. Because protecting PII in the cloud depends on the right combination of controls and safeguards supplied by the purchasing organization and the cloud provider, the responsibilities of each party need to be clearly defined.
Many types of cloud-based services and options are available, and each combination offers a different range of benefits and risks. Privacy obligations don’t change when using cloud services; therefore, the choice of cloud type and cloud service requires detailed consideration before being used for PII.
Every cloud-based system is a combination of a particular cloud service deployed on a specific cloud type. There are three kinds of cloud services—infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS)—and each has different inherent risks, as does each cloud type (private, community or public).
The cloud service purchased defines the extent to which the cloud provider is responsible for managing the infrastructure, and consequently the extent to which the provider can see your organization’s information. Clearly, a private cloud is the safest option, but it has implicit costs that may exceed the organization’s budget or resource capability, and therefore may not be the best business-based choice.
A public cloud—in which data is stored by a third party—means that the organization is outsourcing the management and security of its data. In a community cloud, organizations within a certain community share the infrastructure and its costs.
Each cloud service and each cloud type provides a different level of control to the purchasing organization. Therefore, a different degree of inherent risk exists in each of the nine categories of cloud-based systems.
Buy Your Own Cloud: Who’ll Manage the Risk?
Cloud-based systems are easier to procure than traditional IT systems: They can be commissioned by almost anyone with budget authority. However, this increases the likelihood and frequency of cloud-based systems going into production in an organization.
The ease of procurement also increases the probability that cloud-based systems will be managed and used by people who are unaware of the regulatory obligations, so they may not assess or manage that risk. The result is an increase in unsafe cloud-based systems.
