Migrating your data to the cloud means that this data is dispersed across servers located around the world. The way the cloud transcends national boundaries creates compliance challenges for storing data into or allowing access to data from countries or regions with established data privacy and protection laws.
Corporations must consider these laws before collecting, storing, and processing electronic data in the cloud.
The privacy regulations landscape
Growing concerns over consumer privacy and data security have led to the development and enforcement of laws and regulations aimed at making organizations more accountable for how they manage and share the information they collect about people. The General Data Protection Regulation (GDPR) in Europe is now considered as the milestone in data privacy regulations.
The impact of GDPR goes beyond the borders of EU. Requirements contained in the GDPR are shaping privacy regulations globally. For example, the California Consumer Privacy Act (CCPA) and the new Brazilian Data Protection Rules (LGPD) both contain requirements that are similar to those of GDPR.
Despite the many similarities, companies that do business across national borders will find themselves facing a patchwork of requirements. Organizations must monitor the privacy regulatory landscape continuously and cross-reference requirements. If their privacy program has solid foundations in place, meeting additional regulatory requirements will require less effort.
Privacy considerations before moving to the cloud
Before organizations migrate their data to the cloud, there are certain considerations they should consider when protecting your data and privacy in the cloud.
Cloud security is not data privacy
The cloud security model is a shared one. Shared responsibility means a cloud security provider will be responsible for the security of the cloud, while the customers are responsible for the data they store in it. Organizations are responsible for protecting and encrypting data, classifying assets and granting permissions for identity and access management. These security controls are in place is to protect corporate data!
However, organizations need to remember that security and privacy are complementary but distinct fields, with different goals. Successfully protecting data and privacy in the cloud means that both have to be integrated.
Privacy is a contextual concept that has various definitions but generally relates to an individual’s control of information about themselves and their relations with others. Data privacy is a subset of privacy and refers to the rules organizations apply to handling the personal data of their employees or customers. Cloud security, on the other hand, generally refers to preventing unauthorized access to personal information, through technologies like network security, firewalls, encryption, etc.
Data privacy complements and strengthens existing data security. Both are incredibly important and necessary to protect data and privacy in the cloud and keep personal data both safe and usable.
Where’s my data?
According to data privacy laws and regulators, when businesses decide to move their data to the cloud they are regarded as the data controller. Therefore, they must ensure that their data is sufficiently safeguarded. They must also understand the data protection laws that are applicable in each country they are operating or face significant fines if they fail to comply. Data controllers are responsible for protecting data and privacy in the cloud.
However, cloud computing platforms can distribute their processing across multiple jurisdictions, from Europe to the US, for example. This is a common practice. Valuable customer data can be redirected without any notice as part of the normal functioning of the platform.
Data locality and sovereignty is a major concern for data protection and privacy. The Schrems II rule of the European Court of Justice invalidated the EU-US Privacy Shield agreement on data sharing, on the grounds that the US is not a safe haven for EU citizens’ data due to disproportionate surveillance practices.
Data localization is a factor that must be taken into consideration when discussing requirements with cloud providers, because it triggers various privacy and security controls. Encrypting data, anonymizing customer data, but still keeping this data usable, can become a hard balancing act.
Privacy-by-design
Just like cloud security should not be an afterthought when migrating to the cloud, the same should be with data privacy. Businesses should be proactive in ensuring that the management of data privacy has been embedded in their cloud computing design process. Privacy should be a key ingredient of their cloud strategy. Making the discipline of data privacy an integral part of business culture is a lot better than retrofitting a solution. It can save businesses from costly penalties since Article 25 of GDPR lists “data protection by design and default” as a legal requirement.
How a Cloud Security Professional can help
The attitude of businesses toward data is evolving. They are realizing that merely protecting data at different technology layers is not enough. They need a holistic approach to cloud security and privacy and must protect information through its entire lifecycle, from the moment it is captured to the day it is destroyed.
This is where a cloud security professional can become extremely valuable. Leveraging the knowledge around cloud security, privacy controls and regulations, they can apply the core pillars of authorization, logging, confidentiality, and integrity to safeguard both the security and the privacy of the corporate data in the cloud.
- Authorization. Once they identify the data that needs to be protected, the cloud security professional will have to determine who has access to what. They must apply the least privilege principle and establish a robust identity and access management (IAM) program. The IAM program should ensure that employees have the authority they need to do their job, but not so much authority that they could become a security risk if their credentials are compromised.
- Logging. Auditing and logging are helpful for meeting the accountability and transparency requirements of privacy regulations. An audit trail can be reviewed when something goes wrong, but it can also help identify security flaws and gaps, or system compromises.
- Confidentiality. Making sure data is viewed or shared with only authorized parties is important, not only for maintaining the confidence of customers and stakeholders, but also to maintain regulatory compliance. Failure to adhere to the laws can result in stiff fines and penalties.
- Integrity. Besides ensuring the validity of individuals or applications accessing personal data, cloud security professionals must prevent the accidental or malicious modification of this data. Encryption and tokenization come in handy because they make it difficult to tamper with data. At the same time, they need to ensure the protection of encryption keys and tokens to avoid being compromised or stolen.
How The CCSP Certification Can Help You Succeed
The ISC2 Certified Cloud Security Professional (CCSP) is the answer to all your data privacy concerns in the cloud. CCSP is the benchmark of cloud security certifications and is repeatedly recognized as the most valued and well-rounded cloud security certification.
CCSP is a vendor-agnostic certification that ensures that certified practitioners have the security knowledge to successfully secure and protect data in any cloud environment. It is CCSP’s unique criteria that has elevated it to a standard that has allowed it to be identified as the premier cloud security certification, providing an advantage in an increasingly competitive corporate landscape.
Attaining CCSP certification shows you have the advanced technical skills and knowledge to design, manage and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures established by the cybersecurity experts at ISC2.