New privacy laws have changed the way businesses are operating online. In the U.S., CCPA came into effect on January 1, 2020, and the European Union GDPR regulations are now embedded. These changes are impacting upon the cloud data privacy landscape.
The impact of such regulations is requiring organizations to change the ways they store and process sensitive consumer data. While most companies still run on-premise server hardware to properly store and manage data, they can also achieve this compliance in the cloud.
To ensure an appropriate and compliant cloud computing solutions is selected, businesses need to ask their cloud service providers to add controls that could strengthen data security, such as encryption and data governance. In addition, they should implement their own controls, such as measures to ensure they find all the information they store about a given data subject and delete it if necessary.
Heikki Nousiainen, CTO of Aiven explains why it is advisable for companies to consider all regulations and policies on data processing during multi-cloud deployments in order to ensure compliance.
Digital Journal: Responsibility for data security and compliance in the cloud is shared between multiple parties. As customers evaluate cloud service providers, why is it important for each party to understand and distinguish who is responsible for securing which part of the cloud?
Heikki Nousiainen: As the data privacy landscape heats up, enterprises need to focus on securing their systems while ensuring all data is being stored and managed according to local regulations. As cloud providers join the picture, it’s evident cloud security is a shared responsibility. While it’s the cloud provider’s job to secure the cloud infrastructure itself, it is not their job to secure the data, applications and operating systems running in the cloud.
The only way to make sure you are upholding your end of the bargain is to understand exactly what parts of the model you are responsible for. Cloud infrastructure service providers are responsible for meeting compliance on computing, storage, databases and networking. Providers are also responsible for the compliance of their global infrastructure, which includes servers and other hardware located in all locations around the world.
On the other hand, companies are responsible for ensuring compliance on their platforms, applications, identity and access management tools and processes, operating systems, networks and firewall configurations.
DJ: With GDPR and CCPA in effect, what will be the most challenging part of maintaining data compliance in the cloud? What are some of the common pitfalls to be avoided?
Nousiainen: Cloud compliance ensures that cloud computing services meet the compliance requirements of enterprise customers. However, enterprises adopting cloud services should not assume that every cloud company meets the organization’s unique requirements.
Enterprises should always do their due diligence in vetting a cloud services partner to ensure the way their data is being managed aligns with their needs and meets compliance standards. As a safeguard, enterprises should verify that their cloud provider submits to third-party audits that demonstrate compliance with the CCPA or any other industry related requirements.
DJ: The CCPA will enable individuals to take a more active role in monitoring and protecting their personal information. How will the cloud help businesses take stock of their privacy controls and keep an eye out for gaps in meeting CCPA requirements?
Nousiainen: Cloud and managed service providers serve a number of customers that are bound by GDPR and CCPA requirements, and offer a variety of controls that comply with data storage and processing regulations. These controls include access management with audit capability, network security controls such as firewalls, and data encryption in-transit and at rest.
One area where cloud and managed service providers really excel is the programmatic access to all these security controls, allowing enterprises both to rapidly deploy these security services but also monitor and audit the deployed controls as ease. In turn, this can help the companies have a comprehensive view of all data they have collected and stored.
While utilizing the cloud can certainly help manage proper access controls with any sensitive map, enterprises should consider implementing a CCPA data map as a formal procedure for tracking data they store and process. This can help enterprises determine what type of personal data is collected, for what purposes or applications is the data collected, and do these processes comply with CCPA regulations.
DJ: Many people still think that the cloud is less secure than other alternatives. Why does this perception still exist? And why is it false?
Nousiainen: Misconceptions about cloud security still exist for many companies who are unfamiliar with the cloud’s infrastructure and are used to on-premises security practices. The reality is often that cloud adoption is much more secure for organizations’ data storage and processing needs. A cloud provider’s business and reputation depends in large part on keeping customer data secure, and therefore the provider would employ a dedicated security staff tasked with defining and operating customers’ infrastructure securely.
Cloud providers also extend a rich set of security controls and services on managing access and visibility to the customer data. Being able to deploy and codify these security controls in code or in configuration management systems make it much easier to systematically develop, maintain and review the controls in place.
It’s also worth mentioning the impact on availability, for which the increased resilience and redundancy of the cloud provider infrastructure allows one to sustain operations through or recover from large scale catastrophic errors.
DJ: What other benefits do cloud-based solutions offer over on-premise hardware?
Nousiainen: Benefits of cloud-based solutions extend beyond the updated security measures and data privacy services that many providers offer. Companies go to the cloud to gain greater flexibility, such as being able to access and move data efficiently. Other companies choose the cloud over on-premise hardware to achieve cost savings by eliminating the expense of upkeep and internal resources that comes with on-premise options. Moving to the cloud also provides better scalability, allowing businesses to expand their storage quickly and at a lower cost than on-prem, where you would have to purchase additional servers and data centres as business grows.
