Data Privacy Laws Add Complexity to Securing the Cloud
There are 12 states currently considering new data privacy laws or considering making updates and changes to laws that are already in place. The Virginia Consumer Data Protection Act (VCDPA), for example, goes into effect on January 1, 2023. All of these state privacy laws, coupled with international data privacy laws, come with their own individual set of regulations that create challenges for data security teams everywhere. How do organizations meet all of these unique data compliance regulations?
Considering that much of the relevant data is transmitted or stored in the cloud, how do you best address the data privacy laws in a global workforce and in a cloud environment?
Carefully, said Tim Wade, Deputy CTO at Vectra, in an email interview.
“Often this involves clear and intentional segmentation of storage and access such that geographic region or national origin maintain clear separation with respect to legal requirements. Assuming these laws materially improve the privacy of individuals they’re designed to protect, that allows such protection to exist across a global workforce—the challenge, of course, is the additional IT management complexity it introduces which increases the likelihood of a material security failure.”
Responsibility for Data Privacy in the Cloud
Privacy laws state that organizations are responsible for the data they collect wherever it is ultimately processed or stored, explained Rehan Jalil, CEO of Securiti, in an email interview. It isn’t just the people inside the organization who have to follow privacy compliance regulations and security requirements; all third parties, outsourcers and cloud providers must provide robust security and privacy policies and it is up to the organization to ensure this happens.
“Organizations have to know every cloud service that their users and systems connect to and review the data transfers to these cloud services (and any further subcontracting) to ensure that regulations are not being broken,” said Jalil.
Because of the complexity and patchwork nature of American data privacy laws, organizations need to know exactly where their employees and customers are based. Typically, these laws are based on residency rather than the citizenship of the individual whose data is being collected and processed.
Knowing this, the security and compliance teams can then begin the hard work of identifying the privacy laws that correlate with each individual and sensitive data.
“By discussing, identifying and defining each business’ privacy requirements, companies can work backward to identify which country, state and/or local privacy laws the company is subject to,” said Alex Ondrick, director of security operations at BreachQuest, via email.
The Role of Data Privacy Laws in Cloud Security
Data privacy laws should always be considered as part of cloud security, said Jalil.
“Many regulations discuss cross-border transfers and define minimum requirements before data is allowed to move from one location to a different country,” said Jalil. “The organization, therefore, needs to review where data is stored and processed and review all laws in other countries to ensure that the appropriate legal and technical safeguards are in place.”
To avoid penalties for non-compliance, companies must thoroughly research the data privacy laws of the countries they are operating in before placing sensitive and critical data in the cloud, advised Shweta Khare, cybersecurity evangelist at Delinea.
“The cloud is a shared responsibility. Never assume that the cloud provider’s default security controls can completely protect your data and help meet specific compliance and regulatory requirements,” said Khare. “While the cloud providers have good controls in place for data protection in the cloud, they make it clearly known that customers remain responsible for complying with applicable compliance laws, regulations and privacy programs can.”
One of the biggest risks for both cloud security and data privacy compliance is a lack of awareness of the amount of data sprawl happening inside the organization. As Jalil pointed out, too many organizations have no idea the number of files that individual users have created, what type of data is in those files (and whose data) or how the systems are all interconnected and sharing personal information. And more often than not, many of these files are stored in cloud services.
To best monitor the data in your organization’s cloud and make sure that your cloud security systems can offer the necessary protection and compliance to protect data privacy, Jalil recommended two technologies: Cloud application security broker (CASB) products, which can find and report on known and unknown cloud services in use and PrivacyOps services. PrivacyOps services can discover, catalog and index the data itself wherever it is based in those cloud services.
“Armed with that data,” said Jalil, “Privacy teams and IT security should look for anomalies and define policies for data collection, storage and movement.”
