Data privacy laws add complexity to securing the cloud
Twelve states are currently considering new data privacy laws or considering updates and changes to laws already in place. The Virginia Consumer Data Protection Act (VCDPA), for example, takes effect on January 1, 2023. All of these national privacy laws, along with international data privacy laws, come with their own set of regulations that create data security challenges. teams everywhere. How do organizations meet all of these unique data compliance regulations?
Given that much relevant data is transmitted or stored in the cloud, how do you best deal with data privacy laws in a global workforce and cloud environment?
Carefully, Tim Wade, deputy technical director at Vectra, said in an email interview.
“Often, this involves clear and intentional segmentation of storage and access, so that geographic region or national origin maintains a clear separation with respect to legal requirements. Assuming these laws materially improve lives privacy of the people they are meant to protect, it allows such protection to exist in a global workforce – the challenge, of course, is the additional IT management complexity it introduces, which increases the likelihood of a security hardware failure.”
Responsibility for Data Privacy in the Cloud
Privacy laws state that organizations are responsible for the data they collect wherever it is ultimately processed or stored, Securiti CEO Rehan Jalil explained in an email interview. It’s not just the people within the organization who must comply with privacy regulations and security requirements; all third parties, contractors and cloud providers must provide strong security and privacy policies and it is the organization’s responsibility to ensure this happens.
“Organizations need to know every cloud service their users and systems connect to and review data transfers to those cloud services (and any other outsourcing) to ensure regulations aren’t being violated,” Jalil said.
Due to the complexity and disparate nature of US data privacy laws, companies need to know exactly where their employees and customers are. Generally, these laws are based on the residence rather than the citizenship of the person whose data is collected and processed.
Knowing this, security and compliance teams can then begin the hard work of identifying the privacy laws that correlate to each individual, sensitive piece of data.
“By discussing, identifying and defining each company’s privacy requirements, companies can work upstream to identify the national, state and/or local privacy laws to which the company is subject,” said Alex Ondrick, director of security operations at BreachQuest, via email.
The Role of Data Privacy Laws in Cloud Security
Data privacy laws should always be considered part of cloud security, Jalil said.
“Many regulations deal with cross-border transfers and set minimum requirements before data is allowed to move from one location to another country,” Jalil said. “The organization must therefore examine where the data is stored and processed and review all laws in other countries to ensure that the appropriate legal and technical safeguards are in place.”
To avoid penalties for non-compliance, companies should thoroughly study the data privacy laws of the countries in which they operate before placing sensitive and critical data in the cloud, advised Shweta Khare, Evangelist of the cybersecurity at Delinea.
“The cloud is a shared responsibility. Never assume that the cloud provider’s default security controls can completely protect your data and help meet specific compliance and regulatory requirements,” Khare said. “While cloud providers have good controls in place for data protection in the cloud, they make it clear that customers remain responsible for complying with applicable privacy laws, regulations, and programs.”
One of the biggest risks to cloud security and data privacy compliance is lack of awareness of the amount of data proliferation that occurs within the organization. As Jalil pointed out, too many organizations have no idea how many files individual users have created, what kind of data those files contain (and who the data is), or how systems are all interconnected and share personal information. And more often than not, many of these files are stored in cloud services.
To best monitor your organization’s cloud data and ensure that your cloud security systems can provide the protection and compliance needed to safeguard data privacy, Jalil recommended two technologies: Cloud Application Security Broker (CASB) ), which can find and report unknown cloud services in use and PrivacyOps services. PrivacyOps services can discover, catalog, and index the data itself wherever it resides in these cloud services.
“Armed with this data,” Jalil said, “privacy and IT security teams need to find anomalies and set policies for data collection, storage and movement.”