Maintaining data security while processing data in the cloud
The scalability, flexibility, easy access, and cost savings of the cloud have made it easier than ever for organizations to store, access, and analyze their customer data. However, regulations like the General Data Protection Regulation (GDPR) place significant demands around how and where data can be accessed and used. Consequently, global organizations that are processing data in the cloud often struggle to achieve data security and regulatory compliance.
In fact, when Google was fined €50 million in France for violating GDPR, much of what the French Data Protection Authority (CNIL) focused on was how the company was processing personal data. Google was not fully disclosing to its Android app customers how their data was being collected and processed for personal advertisements across its services.
Enabling
Actionable Data With the Cloud
Cloud data analytics are essential to
maintaining a competitive edge; as such, it is incredibly important for data
stored in the cloud to be actionable. Actionable data allows organizations to
keep internal processes efficient, easily identify customer needs, and tailor
their offerings to evolving demands. The problem is that making data accessible
and actionable can entail creating vulnerabilities. The traditional ways of
securing data, including agents and firewalls, are not effective for securing
data that has gone beyond the corporate perimeter. Storing and analyzing data
in the cloud is a fundamentally different way of conducting business and
requires a fundamentally different approach to cybersecurity. Consequently,
many organizations are struggling to store and process data in the cloud while
simultaneously maintaining the correct levels of security and regulatory
compliance.
The
Challenge: Data Sovereignty & Regulations
Data sovereignty laws state that data is
subject to the laws of the nation within which it is collected. These laws can
create roadblocks for unprepared organizations that are analyzing data in the
cloud, a frontier that is designed to make data available anywhere and
everywhere. In other words, data regulations such as GDPR, which protect the
personal information of citizens of select countries, create headaches for
organizations when their users try to store or process regulated data outside
of the country of its origin.
Outside of the aforementioned data sovereignty
issues, regulations place a number of other demands on organizations, as well.
While security goes beyond rules and regulations, they are an important place
to start – particularly for those looking to avoid fines.
Why
Traditional Security Approaches Don’t Work
As noted previously, the traditional ways of
securing data, including agents and firewalls, are rendered insufficient once
organizations begin analyzing data in the cloud.
- Agents are only effective when
they are deployed on all of the
devices used by employees and partners to access corporate data. These tools
grant comprehensive visibility and control over the devices on which they are
installed. While this is fine for corporate assets, employees typically resist
such installations on their personal devices for fear of having their personal
data and web traffic monitored by their employers. Since 85% of organizations now embrace BYOD, this is
not an adequate solution for maintaining data security in modern IT environments. - Firewalls are on-prem tools that
are no longer useful for protecting data in cloud environments. It’s impossible
to put a firewall around Office 365 or Salesforce, or to use one to secure the
highly heterogeneous mix of managed and BYO devices that access data outside of
corporate headquarters and around the world. - Encryption (or pseudonymization,
as defined by GDPR) helps secure data at rest in cloud applications –
particularly when said apps physically store data in foreign nations that are
deemed unsafe by regulations’ data sovereignty requirements. Unfortunately,
native encryption functionality, such as what is provided by apps like
Salesforce, is not truly secure. This is because these apps hold both the
encrypted data and the encryption keys. Consequently, everything that a
malicious party needs in order to access the decrypted data is stored in the
same location. Additionally, this means that native app encryption does not
protect data that is physically stored in unsafe locations, leading to noncompliance
with regulations like GDPR.
None of these tools are adequate options for
securing data processing in the cloud. Organizations that can’t secure cloud
apps, personal devices, and all off-premises activity are vulnerable from a
security perspective and risk noncompliance with regulations. An alternative to
these solutions is to block all access from remote or personal devices and to
force all users to leverage a VPN; however, fewer and fewer companies are using
this tactic because it impedes user efficiency.
Achieving
Actionability AND Security
Fortunately, there are solutions that allow
companies to achieve security and compliance while they leverage their vast
stores of data in the cloud. The following capabilities will enable any
organization to process cloud data effectively and securely.
- Contextual access control can allow and block
data access based on a user’s geographic location, job function, device type,
and other variables, giving companies highly granular control over their data. - API integrations with enterprise cloud
applications allow organizations to detect, manage, and delete sensitive data
patterns at rest within the cloud. - As mentioned above, cloud encryption can protect corporate
information and satisfy the data sovereignty requirements of regulations like
GDPR. However, this is not necessarily the case if the encryption key is stored
within the cloud app that houses the encrypted data – as is the case with most
apps’ native encryption tools. Fortunately, third-party solutions that provide
full-strength cloud encryption protect both structured and unstructured data at
rest and allow companies to retain control over their own encryption keys. This
type of encryption is the only way to enable secure data processing in the
cloud that satisfies data sovereignty demands. - An organization must have full visibility and monitoring capabilities
across its entire cloud footprint, which is important from both security and
compliance perspectives. This is because even authorized users can represent a
threat to data, and because users accessing data outside of a specific region
can violate data sovereignty laws. In addition to comprehensive logging and
reporting, this entails the use of user and entity behavior analytics (UEBA).
This capability can detect suspicious user behavior in real time and enable
automated responses such as alerting IT or enforcing step-up multi-factor
authentication.
Organizations looking to achieve data security
and compliance without restricting their ability to benefit from data-driven
insights need to ensure that the proper security processes, policies, and tools
are in place. Trying to extend traditional, on-premises solutions and
strategies to the cloud is simply not an option. Organizations that attempt
this will quickly find themselves outside of compliance with data privacy laws
and, in the case of GDPR, facing fines that amount to 4% of their revenue.
While it may appear as though regulatory
frameworks are a hindrance for those that are looking to process their data in
the cloud, the fact remains that reaching compliance is a solid starting point
for protecting data, respecting the individuals whose information is being
processed, and demonstrating the qualities of a trustworthy, socially
responsible, and forward-thinking organization.
Gloss