Contrary to what many people imagine, “the cloud” in technology is something of a misnomer. Unlike clouds in the sky, “the cloud” is a network connected by actual computer hardware: typically one or more computer resources dispersed locally, regionally or globally that allows individuals to store, process, or transmit data. As data is moved in and out of these areas and across state and national borders, confusion can arise regarding which laws apply and which safeguards are required and recommended to protect the data.
Data privacy wasn’t at the top of mind when businesses and individuals began transitioning operations and data to the cloud to save money on infrastructure costs. However, as more state privacy regulations get signed into law, with several more on their way in states like North Carolina and Ohio, protecting consumer data has quickly become one of the most important objectives of the cloud service provider (CSP).
Major CSP’s have begun including security services, such as data encryption and automated security patching, in their offerings by default. These mechanisms, however, serve only as bandages on problems. They do not address the larger problems, such as regulatory compliance and unprotected data breaches, that can arise when privacy controls are bolted onto systems instead of designed into their core functionality.
The concept of Privacy by Design (PbD) was generally accepted in the 1990s when seven foundational privacy principles were defined. This first attempt was driven by the desire for a systemic approach to implementing privacy controls into the rapidly evolving global system landscape.
The following seven foundational principles of PbD are a great baseline to help determine if the CSP has safeguard mechanisms in place that meet each of the criteria. They are meant to ensure that various aspects of data protection are considered when implementing a new system without slowing down the process. In regard to CSP’s, it is important to observe which privacy controls are in place so that data is protected and secured.
- Proactive not reactive; Preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality – positive-sum, not zero-sum
- End-to-end security – full lifecycle protection
- Visibility and transparency – keep it open
- Respect for user privacy – keep it user-centric
Although these principles may appear to be broad and lack detail, the main driver behind them is validating that the CSP has committed to a top-down approach to data privacy and complies with relevant privacy regulation.
The CSP should implement privacy controls in its environment and validate that those controls don’t impair customer accessibility. The CSP should also ensure privacy is included in the entire system lifecycle and respect the customer’s privacy in doing so.
Without formal knowledge and training, it can be difficult for the cloud provider to validate that all the principles of PbD are accounted. Some questions to help with this approach are:
- What systems does our organization use to conduct business?
- What data do our systems collect and process on a regular basis?
- Does our company have an appropriate method for obtaining consent from customers before collecting and processing their data?
- Does our organization use a CSP to conduct business?
- Does our organization store customer data with a CSP?
- Do the CSPs our organization use have encryption and privacy controls in place for our data?
- How does our organization access the data that we store in cloud?
- Where are the physical servers that store our organization’s data located?
- Do state or federal privacy law(s) apply in the region where our organization’s data is stored?
- What do applicable regulations constitute as consent to collect and process consumer data?
- Who is the data controller for the CSP?
- Who is the data controller for our organization?
Taking steps to answer these questions will enable CSPs to be more prepared in light of changing regulatory compliance and data security standards. For information about how your organization can implement privacy controls in your cloud, or validate their effectiveness, contact us. We are here to help.
Authored by Hunter Sundbeck, CDPSE, CISA.