It’s impossible to discuss technology these days without considering the cloud and its associated data risk. I asked my guests our recent Ed TALK Privacy in a Gossipy, Digital World if they thought organizations need cloud-specific privacy policies. Spoiler alert! The expert consensus is that cloud-specific privacy policies aren’t just helpful but critical.
“By 2020, a Corporate ‘No-Cloud’ Policy Will Be as Rare as a ‘No-Internet’ Policy Is Today” – Gartner press release, June 22, 2016
For decades, data was protected with behind-the-firewall solutions, but as the cloud emerged, we munged everything together for simplicity’s sake; however, we weren’t doing our customers justice when managing their data. Sometimes it was impossible to ascertain where precisely in the cloud the data was being stored or processed. Additionally, as organizations migrated their product strategy from desktop/datacenter products to cloud/SaaS products, customer data went along with that migration. According to Erika Fisher, Chief Administrative Officer & General Counsel at Atlassian, it can be challenging for privacy and data security. “We had to do a lot of thinking and documenting to make sure that we were protecting very sensitive information that we hold, and it was not always easy to get the attention of some of the cloud service providers.”
There are different expectations in the cloud, and it’s essential to have a privacy policy that clarifies what responsibility you are taking on with regard to cloud products versus responsibility that you can’t take on with datacenter or server products. Elena Elkina stresses the importance of recognizing regional regulations and laws to her clients. Cloud Service Providers (CSPs) have done an excellent job of addressing this in the market. Previously, you would have seen just one or two offerings from AWS or Microsoft.
Now, you see a very segmented set of offerings - you can buy a German cloud infrastructure, a specific US cloud, a government cloud, etc. It’s tough for any company to offer a greater degree of privacy and security guarantee beyond what the underlying foundational technology is willing to represent, i.e., the CSP.
In terms of procuring and partnering with the providers, data privacy and security become barriers to entry for many smaller companies. The cloud is so appealing with its scale and service efficiencies. Still, when you layer on the requirements that come with the cloud and consider data privacy implications, it can get costly and confusing.
Organizations are well-served to think through and grow into the point solutions they truly need. CSPs offer an extensive menu of services. Be selective. If you haven’t conducted a privacy impact assessment (PIA), consider doing that first. We rely on the CSP vendors to set the standard for cloud services and make those services accessible for everybody, ultimately in the interest of innovation. However, the CSPs are not responsible for your data, so policies around data encryption, storage, backup, and provenance are essential.
Sharing her 10+ years of privacy experience, Elena Elkina spoke strongly about having a separate set of policies for data lakes. She said many organizations ignore them because trying to write privacy controls for data lakes is a lot of work. However, ignore them at your peril. “If you aren’t documenting and managing your data, it can eat you alive,” said Larry Ponemon.
Data privacy controls can prevent your data lake from becoming a data swamp. Part of the work of managing data lakes, with respect to privacy, is to first document and understand the various formats of data in your repository – raw data/files, transformed data used for reporting & analytics, structured data like a database, binary data like images & video, documents such as emails & PDFs, etc. Using metatags for files and folders is a valuable tactic for organizing your data lake. This will help you fast-track a PIA (or threat model), so you can begin to construct protection mechanisms, e.g., encryption, and define when/where/how to apply that mechanism for each data set.
The Cloud Security Alliance has many good resources to help understand cloud data privacy & security issues. For example, their “Code of Conduct for GDPR Compliance” helps organizations streamline the contracting process and reduce the time needed for legal review. There is a GDPR Code of Conduct self-assessment, an evidence-based questionnaire thoroughly vetted by their experts, if you wish. If their experts approve of your submission, you can be added to their GDPR compliance registry, and you can get a Compliance Mark that you can use publicly for one year. CSA also has a security questionnaire that offers a way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask a cloud provider to ascertain their compliance with common data security and privacy controls. This can undoubtedly help jump-start your cloud policy initiatives.