By Tom Kennedy, Director of Cloud & Technology Partnerships at Privitar
Amidst today’s general climate of uncertainty, one thing at least has become clear: the effects of the Covid-19 pandemic are accelerating a number of global tectonic shifts which were already underway, from de-globalisation, to automation of processes and robotics, and transformation enabled by new technologies.
These trends all pose existential questions for businesses in the immediate and long term. This post focuses on two important facets of accelerated technological adoption: data privacy and the move to the cloud. We explore how they are entwined and the issues businesses must successfully navigate to get on the front foot to position for a new future longer-term.
The first aspect of this broader trend concerns the expanded use of personal data by organisations to derive insights and develop products. This is not a new phenomenon, however with the explosion of innovative energy directed at the development of technologies to fight COVID-19, we are seeing that many of these tools – from contact-tracing apps to mass healthcare data analytics – are not uncontroversial in their relation to the right to privacy. My colleague Guy Cohen has outlined these issues in detail, and the sorts of questions that we need to consider as we adapt to the demands of a new reality.
The second is the accelerating adoption of cloud. Prior to COVID-19, businesses were already retiring their own data centers and maintained IT infrastructure in favour of renting computing, storage and databases from Amazon (Web Services), Microsoft (Azure) and Google (Cloud Platform), taking advantage of reduced costs, unlimited scalability and flexibility that the cloud offers. Beyond that, more forward-looking and disruptive companies are looking to utilise powerful cloud analytics and machine learning technologies to innovate and push boundaries.
Aside from the stark imperative to rationalise costs, the necessities that COVID-19 have imposed on business are forcing more flexible ways of working – from content and network streaming, sharing and co-editing documents across distributed teams, and real-time access to analytical insights from extraordinary volumes of data – and all of these business-critical activities rely on cloud technology.
Underlying this remains the fact that the lifeblood of modern business is data, which is pumping into and around the cloud on an ever-increasing scale. And when businesses which collect, manage and use vast amounts of personal or otherwise sensitive data, for example in financial services, healthcare & pharmaceuticals, retail and telecommunications, want to leverage cloud technology fueled by that data, privacy becomes a critical issue.
First, there’s the level of risk that businesses are exposing themselves to using raw data containing information relating to individuals for analytics and other secondary purposes. The privacy risks inherent in sensitive or personal data exist whether the data resides in the cloud or not. However the more data you’re dealing with, and the more you are looking to do with it, the greater the privacy risk you’re exposed to. The consequences, in terms of data breaches, regulatory fines and damage to brand trust and reputation are already sufficiently serious that they are a top boardroom concern, and don’t need repeating here.
The second issue around using sensitive data in the cloud relates to an important distinction between privacy and security, and a more nuanced understanding of where responsibility lies for data in the cloud. Since its inception, cloud computing has been dogged by the notion that it is less secure than on-premises systems, because control of it is somehow “out of your hands”. Due to huge investments in the depth and scale of security resources, today the security of cloud platforms is as good, if not better, as most on-premises systems. Extensive capabilities around logging & auditing, identity & access management, network protection, compute protection, and encryption of data at rest in databases & storage all help achieve data security goals of confidentiality, integrity & availability.
Securing data and preserving privacy, although complementary, are two different things. Both are necessary to access and use data safely. Properly securing data ensures that access is limited to authorized users. Unfortunately, however, most data misuse occurs when authorized access is used inappropriately or compromised, whether through an insider threat or stolen credentials.
Preserving privacy, on the other hand, means protecting the data subject. For example, even if the authorised individual accessing the data misuses it, maliciously or by accident, the identity of those in the dataset is still protected.
It is here – in data privacy – where responsibility passes back from the cloud providers to the customer. Each of the three main cloud providers, Amazon Web Services, Microsoft Azure, and Google Cloud Platform, employ a “shared responsibility model” to define the split of responsibilities between the cloud providers and the customers using their services.
For all three, responsibility for the customer’s data sits with the customer.
Google Cloud Platform:
To be clear – this isn’t because the cloud platforms are shirking responsibility. Rather, it relates to obligations set out under GDPR and other data protection laws: whereas the cloud platforms are the “data processors” a cloud customer would be viewed as a “data controller” if they determine the purposes for which and the manner in which the data is being processed. This means that the customer remains responsible for the processing of personal data, even if the processing takes place in the cloud. So although AWS, Microsoft and Google all provide extremely secure cloud platforms, customers still must take steps themselves to ensure the privacy of the data itself is protected.
So what should businesses do to manage this challenge as they speed towards cloud adoption? It’s an urgent and critical issue, but is it clear how to manage it?
To realise the promise of safe, usable data leveraging cloud technologies, businesses need to implement and automate a “safe data pipeline” into and around the cloud. This will enable safe, quick access by data scientists and business lines that need it.
For many organisations with large, complex or siloed data estates, an important step is first knowing what data they have and where their sensitive data is, which can be achieved with the help of data discovery and cataloguing systems. Raw data should be treated as high risk until the scope of any personal information it contains is understood. It is critical to maintain tight access controls on this data.
Once you know where your sensitive data is and have properly catalogued it, the next step is to apply privacy transformations to the data itself. Only a contextual combination of pseudonymisation, minimisation and generalisation techniques will allow the right balance to be struck between privacy and the continued utility of the data. These transformations can be applied to the data either before migrating it to the cloud, on its way into the cloud, or once it has landed in the cloud. The data can then be made widely available for use from a “de-identified data lake”, or from any other cloud data repository.
In thinking about how to implement this, there are a few key principles that businesses should adhere to:
These high-level requirements will serve as the key building blocks for ensuring that organisations can safely and quickly shift their sensitive data into the cloud, then utilise advanced cloud services while complying with data protection laws, and ultimately protecting the privacy of their own consumers, patients or citizens.
In today’s environment there is no excuse for organisations to be leaving value on the table from their sensitive data. Putting privacy at the heart of their approach to cloud adoption, businesses can unleash the power of their data to innovate and generate revenue safely, efficiently and while remaining compliant.
Our team of data privacy experts is here to answer your questions and discuss how data privacy can fuel your business.