5 Unavoidable Steps to Privacy Compliance When Adopting Cloud Services
How to achieve data privacy when migrating to the cloud and trusting someone else with your data.
Business demands for flexibility, scale, fast implementations and other varying economic factors are driving companies to rapidly adopt cloud-based services and outsource many traditional IT services and data center operations.
This blog describes 5 unavoidable steps in adopting cloud services without sacrificing flexibility, data mobility and regulatory compliance with data privacy regulations. These steps must be completed regardless of the underlying data storage location, or application(s) used to access the data and are even more important when migrating from on-premise to public cloud hosting and processing.
You can outsource everything but common sense and security
This does not mean you can ignore all the government and industry mandated data privacy and protection regulations. Organizations remain responsible even when the data they have been entrusted with resides somewhere else.
Step 1: Inventory your data
Inventory existing data and any additional data expected to be collected in the near future. Identify all upstream and downstream data flows, data lineage, essential applications and processes requiring access to any sensitive or regulated information assets. This must be achieved in very dynamic environment(s) where the data, the storage location and compute applications are constantly changing to meet business needs. Consider the logical location of the data as the physical location becomes more abstracted.
There are two different approaches to data discovery
Data discovery tools that analyze and map existing data access and data flow patterns are particularly effective at capturing actual data access requirements and identifying where controls must be placed. They enable companies to quickly start protecting and processing data using fully compliant methods.
Data Discovery tools that take a brute-force approach and scan all database content are challenging to configure when trying to accurately identify Personally Identifiable Information (PII) without generating an unmanageable number of false positives. The data discovery path you choose is important. One path leads to immediate actionable results and rapid compliance with data privacy regulations. The other is a long, complex and expensive path where organizations can get lost for months before producing usable results. This choice will be the topic of another blog.
Step 2: Identify data privacy compliance requirements
Industry-specific privacy regulations like HIPAA (Health Insurance Portability and Accountability Act) for Healthcare data or PCI-DSS Payment Card Industry – Digital Security Standard for credit card Primary Account Number (PAN).
Data subject-specific like COPPA (Children’s On-line Privacy Protection Act) or internal VIP Customer data access controls.
Geo Location-specific regulations applicable to specific citizens or nationalities like GDPR (Global Data Privacy Regulation) or CCPA (California Consumer Privacy Act).
Consent Management – adhering to generally accepted privacy principles, Opt-In, Opt-Out preferences, Right-To-Be-Forgotten (RTBF), data usage.
Your business may be global but data privacy regulations are local
The myriad laws and regulations often result in complex, overlapping and conflicting data protection, privacy, governance and use restrictions. These must all be identified and considered in the next step.
Step 3: Identify required data access and data protection controls
Define and document the required data collection, access, use, retention requirements and associated controls and audit trail to meet all relevant data privacy and protection mandates.
This will often involve multi-dimensional, overlapping data access hierarchies and matrixed access controls requirements like geo-fencing, or special handling for VIP, high net worth, celebrity or RTBF data subjects and more that are constantly changing along with authorized usage.
These complex, multi-dimensional access control requirements quickly become virtually impossible to model using traditional, proprietary, database or application specific, view layer security and Role Based Access Controls (RBAC). Attribute Based Access Controls (ABAC) become essential to enforcing any more complex access control requirements, data governance and use limitations. A wide range of both user and data attributes become critical variables in making real-time access control decisions. Data attributes may be embedded in the data set. User attributes may be maintained in a central directory service or a table in another database platform.
Cloud services migrations add further data protection complexity
Cloud hosting of sensitive or regulated data also typically involves encryption or anonymization of the data hosted by a cloud services provider. Every organization needs to retain control over the encryption keys and the ability to unprotect the data. Data obfuscation and data masking capability are also needed for supporting various use cases.
Centrally managed, consistently applied, fine-grained, ABAC that follows the data regardless of where it is hosted, or the applications used to access it, is essential for maintaining data mobility and flexibility to leverage cloud hosting services.
Step 4: Configure and test controls
Traditionally this requires designing, testing, implementing and enforcing the same controls consistently across a wide range of constantly changing platforms and applications. Each new platform means starting over, using all different methods, to model the exact same complex access controls. This adds significant cost and introduces a lot of risk from increased probability of data breaches, regulatory compliance violations, reputational damage or loss of competitive advantage.
This often requires expensive consulting engagements or additional FTE’s for months of custom configuration, development and testing work each time data is moved to another platform or a new application is used to access the data. This is further exasperated by hot new technology platforms or services that frequently have far less mature and less capable data protection or access control functionality than traditional database platforms and applications they replace.
Centrally managed, consistently applied, policy-based ABAC is essential
Much better are storage platform and application-independent, centrally managed, policy-based controls that easily model complex, access controls and usage rules using plain business language using an intuitive GUI (Graphical User Interface). Then, automatically and consistently apply the same complex overlapping ABAC rules across all platforms hosting the data and all applications or tools used to access the data. The controls must follow the data.
Organizations are then free to leverage cloud-based data hosting and analytics platforms without relinquishing control over their sensitive data. Authorized users see all the data they need to do their job while only encrypted or anonymized data is hosted outside of trusted data center(s). Once the policy-based rules are created, they are automatically enforced for all applications and all hosting platforms in-house, or in the cloud, as soon as the data is copied to the new location.
Any additions or changes to the policy-based access controls are automatically applied to all platforms and applications within minutes of the change being made. The same applies to any changes in user or data attributes. A customer exercising their Right To Be Forgotten (RTBF) for example can be applied instantly across all platforms preventing that data subject or customer’s data from being included in any data analytics, processing or inclusion in any final result set within seconds of the request being received.
Step 5: Monitor compliance
The final step in the process is to establish an independent, fully configurable, tamper-proof audit trail of all access to any regulated data. The audit trail of all access from all applications must be collected in a single, central location much like Database Activity Monitoring (DAM) products and Security Information Event Management (SIEM) tools do today.
Effective compliance monitoring requires a more intelligent approach
This monitoring should also include User Behavior Analytics (UBA) that considers multiple factors (day or time of day, # of records accessed, application used, metrics relative to peers and historical access patterns, etc.) in detecting, alerting and/or blocking anomalous activity. UBA should have configurable weighting of different factors to benchmark normal data access patterns and better identify any anomalous activity. This traditionally required dedicated UBA tools that relied on analyzing activity log data after the fact. Preferable is real-time UBA with active alerting, blocking and Data Loss Prevention (DLP) capability.
Migrating to the cloud can introduce a lot of risk and be expensive to implement before realizing any financial benefits if any of these steps are skipped. It typically involves a lot of security controls design, development, testing and implementation work every time a new cloud provider, hosting platform or application is used to access the data. This traditionally involves configuring and testing multiple data security tools or applications that all require separate installations, servers and integration with databases, applications and other security tools.
Alternatively, SecuPi offers a one-stop-shop providing all of the following:
- Data Centric Audit and Protection (DCAP) without changes to Databases or Applications
- Discover and Map Sensitive Data Lineage and Data Flows Automatically
- Format Preserving Encrypt, Tokenize, Obfuscate, Mask, Anonymize as/where required
- Centrally Managed, Policy-Based, Fine-Grained, Attribute Based Access Control (ABAC)
- Tamper-Proof Audit Trail and real-time User Behavior Analytics (UBA)
- Independent, fully configurable, Database Activity Monitoring (DAM)
- Customer Consent Management and Right To Be Forgotten (RTBF)
- Data Loss Prevention (DLP)
- Active Real-Time Alerting and Blocking of Unauthorized Access to Regulated Data
- Platform Independent Row Level Security (RLS) and Column Level Security (CLS)
- Data Mobility with Data Access Policy Automatically Following the Data Across Platforms
- Seamless Integration with other Security Tools (Data Encryption, SIEM, Active Directory)
- Control data access/use at User Request, Data Request, Data Response, User Response
SecuPi would be happy to provide an overview and demo of the benefits of leveraging this next-generation technology.
The author, Les McMonagle (CISSP, CISA, ITIL) is Chief Security Strategist at SecuPi and has over 20 years’ experience in information security, data privacy and regulatory compliance helping some of the largest and most complex organizations select appropriate data security technology solutions.
Or, visit our website at www.secupi.com