a guide to data privacy in the cloud
DESCRIPTION
Is it possible to keep data private when it is used and stored in the cloud — particularly if it is a public cloud? It’s a hard question to answer given the almost daily emergence of new cyber-threats and the number of media reports about data breaches. However, the benefits of the cloud typically outweigh the risks as it pertains to sensitive or confidential data. And, there are things you can do to protect your data and help ensure that what needs to be private remains private. This guide provides a few of them for your consideration.TRANSCRIPT
A Guide to Data Privacy
IN THE CLOUDIs it possible to keep data private when it is used and stored in the cloud — particularly if it is a public cloud? It’s a hard question to answer given the almost daily emergence of new cyber-threats and the number of media reports about data breaches. However, the benefits of the cloud typically outweigh the risks as it pertains to sensitive or confidential data. And, there are things you can do to protect your data and help ensure that what needs to be private remains private. This guide provides a few of them for your consideration.
Know Your Data.Privacy in the Cloud
01
No matter how many precautions and protocols are employed, there are no guarantees when it comes to data privacy in the cloud. That’s why it is important to review the various types of data you have and determine if it is too risky for any of it to be used or stored in a cloud environment. Knowing your data can also help you devise and implement appropriate internal processes for ensuring data privacy.
Intellectual property (IP), such as patents, architectural renderings, source code and so-called trade secrets, can be of particular concern for some companies, as can sensitive personal information such as health records and credit card information.
• Outline what kinds of data are considered sensitive and/or proprietary.
• Determine who needs access to this data, and who you want to make sure does not have access.
• Consider what the impact would be to your organization if this data was compromised or lost, or if it was unavailable for a certain amount of time.
• Assess the impact that the use of the cloud computing could have on any privacy commitments or obligations related to the data you wish to use or store in the cloud.
• Understand the regulations and other standards that are in place to protect the particular type of data you are
considering using or storing in a cloud environment — such as the Payment Card Industry Data Security Standard (PCI DSS) for consumer credit card information and the Health Insurance Portability and Accountability Act (HIPAA) for protected health information. Can you implement the controls required to comply with these regulations?
• If you are outsourcing to a cloud services provider (CSP), you will want it to be compliant to whatever extent is appropriate as well. However, even if a CSP is compliant with regulatory requirements, your company is ultimately responsible both for compliance and for protecting the integrity and privacy of your data.
Here’s what you need to do:
“There are no guarantees when it comes to data
privacy in the cloud.”
Make Data Privacy a Company Priority, Not Just a Cloud Priority.
Privacy in the Cloud
02
Data privacy starts within your company. Create policies
and procedures for data privacy, including specific ones
that govern the protection of sensitive data, intellectual
property and any copyrighted or proprietary information.
Your policies should clearly define accountability and be
communicated to your entire staff.
Make sure to specify how to handle the sharing of or
access to your data with third parties as well as within
your own company. Your policies should also take into
account the privacy rights of your customers, employees,
consumers and other stakeholders as appropriate.
If you are going to work with a cloud services
provider (CSP), make sure it can abide by your
policies and that its own policies are complementary.
Establish an organizational structure within your
own company that allows for a CIO, CISO or other
security or privacy leader to actively participate in
vetting and implementing data privacy protocols —
within your company as well as in the cloud — to
ensure that they are handled appropriately. Consider
establishing a functional role in your organization that
is dedicated to information governance oversight to
better protect your company.
Perhaps most important, make data privacy and
security everyone’s responsibility. Provide employee
training and continuing education to reduce behaviors
that can put data at risk and help employees
understand what they can do to ensure data privacy
and security.
“Make sure to specify how to handle the sharing of or access to your data with third parties as well as within your own company.”
Know Where Your Data Will Be.
Privacy in the Cloud
03
If you are going with a cloud services provider (CSP),
this is a must. CSPs may store data redundantly in
different locations, some of which may be in countries
that don’t have the same intellectual property, copyright
and data protections as we do in the U.S. You want to
know where your data is at all times.
In addition, some CSPs outsource to third parties to
meet demand spikes. Those third parties may be located
in a country with tenuous data protection, intellectual
property or copyright laws, but have access to your
data. You need to know this — and how your CSP
monitors that access.
The vague, ambiguous nature of the cloud can make
determining how various laws will apply, or if they can
even be applied, a challenge. Because laws involving
intellectual property, copyright and data privacy are
often territorial, it is unclear in many instances how
they will apply in the cloud. If you don’t want to take
chances, only work with CSPs that can ensure you that
your data will be kept within U.S. borders.
While intellectual property laws may not be as strict
outside the U.S., data privacy laws in the European
Union (EU) are extremely stringent. If the data you’ll
be storing in the cloud belongs to European citizens,
you’ll want to make sure the CSP you work with
at least has Safe Harbor certification. Created as a
collaborative effort between the EU and the U.S., Safe
Harbor permits data transfer from the EU on the basis
that U.S. companies self-certify their agreement to
abide by the Safe Harbor framework, which includes
seven privacy principles.
“The vague, ambiguous nature of the cloud can make determining how various laws will apply, or if they can even be applied, a challenge.”
Perform Due DiligenceWhen Selecting a Cloud Services Provider.
Privacy in the Cloud
04
If you’ve made the decision to use or store sensitive data in the cloud, and are considering a cloud services provider (CSP), conduct a thorough review and audit of its security qualifications. Make sure to include your IT security specialists or an outside consultant specializing in IT security in the process.
Review the CSP’s privacy practices, and insist that any CSPs you are considering offer a high level of transparency into their security infrastructure to help ensure confidence that information stored in the cloud will be secure.
• How does the CSP handle disclosure of the physical location of data? You will want to know where your data is kept, including the location of replicated or backed-up data files.
• Does it employ stringent processes to separate cus-tomer data?
• Does it subcontract out any the services they will be providing you? Many use subcontractors when things get busy, which means your data could end up in another country at some point — one with weak or difficult-to-enforce privacy and intellectual property laws.
• Can the CSP provide you with assurances (in writing) that it will not mine customer data for advertising or other purposes, or make your data available to any third parties?
• Does the CSP adhere to important certification stan-dards such as SSAE 16, PCI DSS and HIPAA? Will the CSP provide you with proof of compliance, such as an audit report? (Keep in mind that even if a CSP is compliant with specific regulatory requirements, you are still ultimately responsible for compliance.)
• Does the CSP meet privacy and data protection regulations and laws in other countries?
Important considerations include:
Read All Contracts and Service Level Agreements Carefully.
Privacy in the Cloud
05
Make sure you understand what is included and not included in contracts and service level agreements with cloud services providers (CSPs). Don’t hesitate to engage in negotiations if you are not completely comfortable with the contents. You should also have all contracts and service level agreements undergo a legal review.
Strong contractual protections are especially critical if intellectual property or other sensitive data is involved. Make sure the protections and controls are explicit and measurable.
• Do the materials include requirements that the CSP follow approved security and other industry security standards?
• Will the CSP agree to provide you with regular audit or certification reports?
• Will the CSP provide you with the locations of where your data and applications will be processed and stored, and let you know what access any
subcontractors may have and what policies are in place to control subcontractor access?
Keep in mind that standard terms keep cloud computing relatively inexpensive, but they may not work for your company. If you need something special, it may cost more but will be well worth the investment if it keeps your data safe and provides you with peace of mind.
Among the questions to ask:
Secure YourData Yourself.
Privacy in the Cloud
06
No matter what data protection assurances a cloud
services provider (CSP) gives you, you can always
supplement its efforts by providing a layer of additional
data security.
Consider end-to-end encryption for any data that
will reside in the cloud, especially if it is subject to
regulatory compliance concerns. Make sure to retain
ownership of your data by retaining ownership of the
encryption keys — and not giving them to your CSP.
If encryption technologies don’t seem secure enough,
consider tokenization. Like encryption, tokenization
encodes or conceals data so it is protected from
unauthorized parties. However, a mathematical link
back to the original data’s true form still exists when
you use encryption. Tokenization completely removes
the original data from the systems in which the
replacement tokens reside.
Consult with data security specialists too. They are
usually on the leading edge of the latest data privacy
technologies and can provide you guidance. You
will also want to revisit any controls you implement
on a regular basis, so you can stay on top of potential
new threats.
In addition, continue to engage in proactive compliance
management with privacy and data protection laws,
regulations and other requirements on a domestic and
international basis.
Data privacy is a moving target. It’s important to do
whatever you can to keep up with it.
“Consider end-to-end encryption for any data that will reside in the cloud, especially if it is subject to regulatory compliance concerns.”
LEARN MOREIf you are interested in learning how Peak 10 can help keep data safe and private in the cloud, let us know. We tailor solutions to meet the specific needs of our customers, drawing upon our secure, reliable cloud services; a wide range of managed security services; and a commitment to maintaining compliance with a variety of regulatory requirements and industry standards.
Get a FREE consultation TODAY: 866.473.2510 | Peak10.com
Note: The contents of this guide are for information purposes only. Peak 10 makes no claims that adhering to any of the recommendations provided will ensure data privacy or security.