Data Privacy in the Cloud: Critical Business IssuePosted 2013-04-09 Email Print
Protecting personally identifiable information depends on safeguards supplied by the cloud purchaser and the cloud provider, so responsibilities must be clear.
Existing Safeguards: Safe Enough?
Even organizations in which the awareness of risks is high may be taking on unacceptable risk if their cloud procurement process or information security policy hasn’t been updated to deal with data privacy in the cloud. A number of inherent aspects of cloud-based systems tend to increase privacy risk.
For example, an organization’s PII can be comingled with that of other organizations and backed up together. This can make it difficult or impossible for a cloud provider to delete one organization’s information upon contract termination. If the cloud contract doesn’t have clauses that survive termination, there may no longer be any contractual requirement for the cloud provider to safeguard the information.
Data Privacy and Cloud Confusion
Data privacy is often considered a specialist subject, involving legal concepts and definitions. Cloud-based systems, services and types are also complex, and the combination creates a challenge for people who are just looking for ways to get their job done and advance the organization’s objectives.
If the legal specialists don’t understand the technicalities of the cloud, and the technical people don’t understand the regulations, who do the business units call for advice? Some will simply accept the risk and focus on their core business objectives.
Because privacy obligations do not change when using cloud services, the choice of cloud
An Opportunity for Collaboration
The movement of PII into the cloud also provides a great opportunity for the information security department to work closely with business units to enable agility while still maintaining compliance. Cloud-based systems aren’t as complicated as many people think, and understanding the basics helps make complying with privacy requirements easier. Organizational pressure to take advantage of cloud-based systems should be matched by equal enthusiasm to understand and manage the risk.
The Information Security Forum has developed a security model to help organizations address data privacy in the cloud and to give them a basis for identifying the key aspects of an information security program. The ISF provides insights, best practice standards and tools that address each aspect of the model to aid organizations in enhancing their information security environment.
Steve Durbin is global vice president of the Information Security Forum, a not-for profit organization that provides guidance on all aspects of information security. https://www.securityforum.org/