Challenges exist for enabling data privacy and data security when implementing cloud technologies
Interesting insights on the enablement of digital capabilities using cloud-based data capabilities came from a recent survey of C-suite, Information Technology and Artificial Intelligence practitioners.
68% of IT practitioners said they are using the cloud to store most of their data.
Other insights include the planning by C-level leaders for moving data to the cloud for storage and using this data to serve Artificial intelligence (AI) needs while driving strategic decisions.
Nine of ten IT professionals believe that in the next two years, most of their data will be on the cloud, providing improved digital support. This shift will require increased attention to enterprise data management services, especially for data privacy and data security.
With the evolving global and local data privacy laws and regulatory compliance requirements, organizations are moving towards a data-centric security approach to meet these growing obligations.
Choosing the correct data protection technology is critical in unlocking data capital for business impact and operational advantages. Several challenges in un-locking data protection approaches for organizations include:
- Challenges in discovering exponential growth of data and identifying personal and sensitive data
- Organizations have historically rolled out siloed purpose-based technologies into the landscape that secure only specific type of data, systems, or environments
- Simplifying data further into logical partitions like data domains that assist in managing a group of personal data, at a specific pace.
Privacy and Security Classifications by the Data and Privacy Offices
The first step for any data protection program starts with knowing where all sensitive data resides and flows. Also, for global organizations it is essential to have an enterprise approach to data privacy, as part of the enterprise data management program. “To start with, how do we put a single privacy classification schema that rationalizes the privacy requirements across the data landscape as data is discovered.”
For example, while GDPR doesn’t classify financial information as personal data, other regulations classify such information as personal data. Thus, the context to support creation, storage, distribution, and use of data provides direction to the privacy classification.
Data and privacy offices can use a combination of privacy and security classification techniques. These privacy requirements can then drive the implementation of security controls either on-premise or on the cloud, for data-at-rest and data-in-motion.
1. The data privacy office can categorize data into applicable regulatory and policy-based domains like the GDPR, PCI DSS, India IT ACT, or CCPA, HIPPA, etc.
2. Further, the categorization of data can be extended to privacy domains including national identifiers (e.g., SSN), financial data, and behavioral data, etc.
3. Equipped with the privacy domains, and classifications, the Data Office can classify data based on customer identification mechanisms. Examples include direct customer identifying data, indirect customer identifying data or personal, sensitive personal and special category data.
4. The information security function should provide information security classifications and definitions: Restricted, Internal, Confidential, or Public.
Data Management can bring further clarity to security, supporting data management in its life-cycle:
A data privacy function can bring focus on a critical technology control: data encryption. Moreover, encryption can act as the last line of security defense and apply protection and controls directly to personal data. Encryption of personal data ensures that data remains secure wherever it is distributed and renders it useless to attackers.
A Zero-Knowledge encryption approach has become widely adopted, enhancing the security of data. Zero-Knowledge encryption means that service providers know nothing about the data an organization stores on their servers. With organizations moving their workload to the cloud, it is important to understand key functional problem areas:
Visibility in Encryption keys:
Cloud service providers are perceived to provide limited visibility into key management and access by their users and by the internal privileged users
Risk of data loss:
Insufficient authorization control or Disaster Recovery (DR) services to ensure keys are not accidentally or intentionally deleted
Organizations should embrace hybrid cloud capabilities and should not be confined to cloud-specific key management services or vault.
Key Lifecycle Management
Native CSP key management services have limited ability to automate the life-cycle of keys especially across multiple subscriptions. Key lifecycle management for encryption is an essential component.
However, the decision to go with a third-party key store rather than the one provided by the cloud service provider is based on the risk appetite of the organization and perceived risk as well as the opportunity to embrace hybrid clouds.
Data in motion security
Data in motion, also referred to as data in transit, is the transformation of data between locations either within or between systems and storages. Data in motion can be sent from an on-premise system to the cloud, or other exit points. Once the data arrives at its destination, it becomes data at rest.
Securing the sensitive data in transit in-network and inter-data center traffic
With the digital transformation journey and the rapid growth of virtualization, big data applications, cloud computing, and data center services are increasingly reliant on high-speed, high-availability data networks to deliver information when and where it is required.
Network data is at the greatest risk when it contains sensitive, confidential, or personally identifiable information. The high data volumes involved in everyday tasks become an alluring proposition for cyber-criminals, as they seek financial gain from the data and its metadata, available on the network traffic. The threat of malicious insider abuse also becomes much higher due to the availability of valuable content.
As data leaves the perimeter of a controlled environment, one can’t be sure that it remains secure and will not fall into the wrong hands.
When considering the protection of network data, organizations need to consider:
- Securing both the raw data source (video, audio, text, etc.)
- The metadata associated with the data
The advanced data analysis tools available today enable unauthorized users to interrogate and interpret high volumes of data, both in transit and at rest
There is a need to consider the high-speed network encryption technology that serves the data-centric security purpose without impacting network performance and availability.
Security of Data Stored in Cloud Environments
Nevertheless, cloud practices can embrace the latest advancements in security that can securely store, move, back up data on the cloud. It is important to understand the following points and their applicability to the organization’s current state and requirements:
- Discovery of data in cloud storages using catalog services
- Automated classification of data in cloud storage
- Entitlement management for data on cloud storages
- Administration of column-level access through entitlements
- Administration of preferred techniques of masking, anonymization, pseudonymization, redaction for personal data
- Secure management of data-in-motion as well as N-S and Inter-DC traffic
- Centralized management of encryption keys for hybrid cloud
- Full key lifecycle management and control
Various models of key management and encryption, for cloud services, have evolved in the recent past including:
- Cloud service provider key store & encryption services as SAAS, PAAS, IAAS offerings
- Non-shared key-store services on cloud
- Bring your own key model – customer managed keys
- Bring your encryption model – customer managed encryption
Although challenges exist in the development and use of cloud computing services and storage for sensitive data, there are ways to mitigate the risk and ensure effective data security, enabling appropriate data privacy.