by Nilesh Parmar, Senior Privacy Engineer at Privitar
The cloud is great! It’s cost efficient, secure, scalable, mobile, has DR out of the box and can help give you a competitive edge. What’s not to like?! Almost nothing.
But when you’re placing your valuable data in that cloud, don’t be lulled into a false sense of security about the security that your cloud environment offers. Protecting data and privacy in the cloud is critically important. Because…mistakes happen. Hacks happen. Breaches happen. GDPR and the CCPA have happened. Fines have happened. And you don’t want those happening to you.
So before you start that cloud migration, that analytics project, or click that upload button, here are 4 key points you should consider when protecting your data and privacy in the cloud:
1. Security Is Absolutely Necessary, But It’s Not Privacy
You and your cloud provider will have a very well thought out, layered approach to security, similar to what’s in the diagram below. The reason all that security is in place is to protect your data! But remember that security and privacy are complementary but distinct fields, with different goals. Successfully protecting data and privacy in the cloud means that both have to be integrated.
Privacy is a contextual concept that has various definitions but generally relates to an individual’s control of information about themselves and their relations with others. Data privacy is a subset of privacy and refers to the rules we apply to handling personal data.
Security, on the other hand, generally refers to preventing unauthorized access to personal information, through technologies like network security, firewalls, encryption, etc.
Businesses can spend hundreds of millions of dollars on security solutions, only to have data breaches still occur. On the one hand you need to ensure your data is secure, but on the other hand, you don’t want to impede projects and get in the way of people doing their day jobs.
Data privacy complements and strengthens existing data security. Both are incredibly important and necessary to protect data and privacy in the cloud, and keep your data both safe and usable.
2. Where is Your Data Being Processed?
You’ve decided to move with the times (well done!) and you’re trusting your cloud provider or your Platform as a Service provider with your data. You, as the customer, are generally regarded as the data controller. You, therefore, must ensure that your data is sufficiently safeguarded. You must also understand the data protection laws for each country’s data that you’re working with, or face significant fines if you fail to comply. You are charged with protecting data and privacy in the cloud.
A little known fact is that cloud computing models can distribute their processing across multiple jurisdictions, so from Europe to the US, for example. This is common. Your valuable customer data can be redirected without you knowing it, just as part of the normal functioning of the platform.
On July 16, the European Court of Justice (ECJ) ruled to invalidate the EU-US Privacy Shield agreement on data sharing, on the grounds that the US is not a safe haven for EU citizens’ data due to disproportionate surveillance practices.
So not only must you take these factors into consideration when discussing requirements with your cloud providers, but you must also ensure that your customers are 100% aware and agree to this.
Respecting privacy, de-identifying your customer data, but still keeping your data usable, can be a tough nut to crack.
3. Are You Following Privacy by Design?
Are you bolting-on a data privacy solution as an after-thought to your cloud systems? Or have you been proactive in ensuring that the management of data privacy has been embedded in your system design process? Privacy should be a key ingredient of your cloud strategy. Getting the discipline of data privacy ingrained in your system design process as part of your best practices, is always a lot better than retrofitting a solution.
And if you’re looking for a little more motivation, article 25 of GDPR lists “data protection by design and default” as a legal requirement.
4. Is Your Approach to Data Privacy Robust Enough?
There are definitely multiple approaches for implementing data privacy, but which one is right for you? Here are a few questions to help you weigh-up what may be important:
- What kind of data do you need to protect? Operational data or analytical data?
- Is your data to be used for internal consumption only, or do you need to share it with (multiple) third parties?
- How do you plan to manage your de-identified dataset after it has been used?
- Are you planning on creating your data privacy policies centrally, or in a distributed pattern?
- Are you required to audit your data and trace it, if ever there was a breach
- How are you planning on keeping your de-identified data highly usable? Techniques like encryption can protect your data, but they also destroy the usability of that data too. De-identification techniques can protect your data without sacrificing utility.
Don’t let your cloud initiatives stall because of blockers around how to manage your sensitive data. The Privitar team can advise you on the data privacy techniques that are best suited for your company and its use cases, and your overall strategy to protect data and privacy in the cloud. Our class-leading data privacy platform is used by some of the largest organizations in the world, to protect their most sensitive data.