How Data Privacy Laws Impact Companies’ Approach to Cloud Security

Anas Baig
Product Manager   Securiti.ai

It’s no secret that the beginnings of cloud computing were fairly humble. Executives within organizations were highly apprehensive about the idea of letting their most valuable asset, i.e., users’ data, be maintained on far-off sites in the care of strangers.

However, to its credit, leaps in cloud security protocols and mechanisms meant that most companies soon realized that these cloud providers could do a far more effective and efficient job of providing a secure environment for their data, at often a fraction of the cost.

More importantly, organizations could hire the best cloud providers suited to their unique needs while saving costs on capital expenses. It was perfect until the elephant in the room, i.e., data privacy regulations, became a hot topic, both socially and legally.

That’s not to say that setting up a cloud security system is impossible. However, it does not come with the same simplicity as it once used to, owing to data protection laws. While organizations are still free to set up their cloud security systems as they see fit, most data protection regulations severely restrict how easily they can transfer data across the borders of the country the data is collected at.

So, just how important a role should data protection regulations play in any organization’s decision to set up a cloud security system? What considerations could any organization take into account? And finally, what are some essential practices that may aid any organization to balance its data compliance efforts with a robust cloud security system?

Understand the Data Regulation Implications

The world is more globalized than it has ever been. User data is perhaps the biggest testament to that statement. It is increasingly common for an organization in the UK to have its cloud servers set up in Finland, catering to customers in South Korea while outsourcing some of its functions to individuals in Bangladesh. It might sound like a complicated arrangement, but it moves like clockwork, with everyone playing their part.

However, there is a flip side to it. In such an arrangement, the organization may likely find itself subject to data regulation compliance in all four countries since it is likely that the sharing and transfer of user data will be involved. More importantly, each of these four countries may likely have varying takes on such laissez-faire transfer of user data across borders.

As far as Cloud Service Providers (CSPs) are concerned, the arrangement mentioned above and its implications are usually tenfold since they are likely handling user data collected from users globally. Naturally, if any discrepancies are found in how the data was collected and transferred, they will be subject to thorough investigations themselves.

For organizations, it is vital to ensure they understand the data protection statutes in place in the countries where they collect data on users and, more importantly, in the country where the data service provider will store this collected data.

While most data protection laws have statutes governing cross border transfers of data, other implications need to be taken into account, such as registration requirements related to all public and private databases with the relevant authorities as well as ensuring all third-party vendors that may have access to data have a proper reason to have this access.

Curate the Data

That last part mentioned above should hold special significance for any organization planning to set up a cloud security system. It is crucial to know precisely which personnel within the third-party cloud service provider will access your data.

The best way to do so is to request categories of employees who may need access to your stored data. This will allow you to decide whether providing such access would still be within the bounds of the data protection laws your users are protected by.

Furthermore, it is equally important to inform and elicit consent from your users regarding using these third-party cloud security systems. As nearly all data regulations require thorough consent from users before organizations can hand over their data to third-party vendors, it is both legally and ethically responsible for ensuring you have the proper permissions to do so.

The consent forms from users, as well as having a record of the categories of third-party resources that may have had access to your employee data, may prove a tremendous resource when facing investigations or litigations.

Encrypt, Encrypt, Encrypt

The value of encrypting your users’ data properly cannot be overstated. Numerous data protection laws highlight encryption as an adequate security measure. This should be apparent because, per several data protection regulations, organizations are exempt from informing users about a data breach if they can prove they took the necessary steps to encrypt any data that may have been exposed properly.

Most CSPs provide both in-transit and at-rest encryption to data. This ensures that any data uploaded to the cloud is adequately encrypted even while being uploaded. However, encryption on its own can be the way to bridge the legality gap between data privacy laws and cloud security systems.

Additionally, organizations may choose to implement file-level encryption before transferring or uploading any data to the cloud. It may be a simplistic step, but it provides all data being uploaded to the cloud with additional bits of security.

Lastly, in case encryption of data is not possible, an organization may find sharding their data a viable alternative. Sharding data refers to storing parts of all user data across various locations. Hence, using multiple cloud security locations rather than one.

While this may require an organization to scale up its compliance efforts with more data regulations, it guarantees that users’ data is not compromised entirely in case of a breach and does qualify as an appropriate security measure under most data privacy laws.

Final Words

It should be clear by now that there is no “one-size-fits-all” solution when it comes to determining just how big of a role data privacy laws should play in selecting and setting up cloud security systems.

The best way to determine the best path for your organization is to carry out a thorough data mapping activity and jot down just how exposed your organization will be when selecting a particular Cloud Service Provider and whether you’ll be able to meet your compliance requirements.

Subscribe today to the United States Cybersecurity Magazine at www.uscybersecurity.net/subscribe for more in-depth information!


Anas Baig

Tags: , , ,