Readjusting Cloud and Data Privacy Predictions
This year’s sudden, unexpected need for cloud capabilities has helped to shift a very important learning to the forefront: Privacy and security are not corners you can cut. While the need to quickly migrate to the cloud is understandable, it is just as important to implement the necessary steps to reduce the risk of data exposure.
At the beginning of each year, experts from across industries share predictions, highlighting what they believe will be the biggest trends in the coming 12 months. It is fair to say that 2020 has thrown quite a curveball, creating business needs that none of us could have predicted. Take corporate America’s rapid transition to a nearly exclusive remote work environment, which has forced many businesses to accelerate cloud migration plans to ensure productivity and business continuity.
While the need to quickly migrate to the cloud is understandable, it is just as important to implement the necessary steps to reduce the risk of data exposure — even if migration is delayed. With this in mind, forward-thinking organizations are taking specific steps to address immediate and long-term privacy and security needs. Such steps include taking a DataSecOps approach, supplementing security with privacy, and creating data-focused leadership roles.
A DataSecOps Approach
Privacy and security cannot be additions to cloud migration; they should be an integral part of the entire project. However, there is a distinct difference in the two – privacy is about the rights of the subjects whose data is collected while security is about how it is protected. A DataSecOps approach helps achieve the goal to ensure both, as it is founded on security teams and data scientists collaborating early and often throughout a project to ensure privacy and security are inherent drivers of every decision. Best practices for implementing a Data SecOps approach include:
- Implementing policies that clearly define how data is to be collected, transformed, analyzed and shared. Rules for data should vary, based on risk profiles.
- Logging and reporting sensitive data access and use to ensure regulatory compliance.
- Assessing a pre-migration security posture and integrating security controls that address security gaps.
By taking a DataSecOps approach, privacy and security are folded in from the very beginning, positioning organizations to reduce the risk of data exposure during all phases of cloud migration.
Supplementing Security with Privacy
While most cloud-based infrastructure includes basic cybersecurity protection, it is not enough to stop most hackers because misconfigurations, lack of access control, and other vulnerabilities can still result in a data breach.
As companies settle into their new cloud-based realities, they will soon realize the need for advanced privacy features that support security efforts to protect data they’re moving to the cloud:
- Data masking creates a one-way transformation by replacing sensitive content with dummy content so should data be compromised. It presents no threat of loss. This practice is common among companies that use cloud infrastructure for test and development, but it will soon be implemented into a more broad security practice at many companies in order to comply with privacy regulations.
- Tokenization, similar to data masking, takes data and replaces it with new, authentic-looking data as a decoy. This can fool rogue access into believing that it is accessing real data but still allows data processing in applications with the correct key.
- Improved encryption techniques allow sensitive information to be encrypted at rest, in use, and in memory. Most traditional data encryption only occurs while at rest, then must be unencrypted in order to be analyzed. Newer forms of encryption allow for privacy-preserving analytics, which gives authorized users the ability to analyze data while it is still fully encrypted and protected.
Creating Data-focused Leadership Roles
As mass data collection becomes ubiquitous, privacy regulations like California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) are meant to regulate who has access to that data and how it is processed. This trend is amplified as many organizations are migrating to cloud in order to take advantage of the availability of newer services available at scale. To sort out the complex nature of compliance, we are seeing an increase in the creation of new roles such as the chief data officer (CDO) and data protection officer (DPO). The people who fill these roles help manage the organization’s data privacy and the associated tradeoffs between using the data as an asset to extract its value and protecting it as a liability.
- Chief Data Officers primarily focus on how the organization handles, processes and stores data while ensuring that their customers’ data privacy is maintained.
- Data Protection Officers are required roles for organizations adhering to GDPR and are responsible for overseeing compliance, implementing data processing training and strategy, and conducting security assessments, among other activities.
CDOs or DPOs also have deep knowledge related to the newest data protection technologies, which can help organizations keep up with emerging data threats. And because these positions require expertise in compliance, CDOs and DPOs help prepare organization-wide data policies to help comply with new privacy regulations or changes to existing ones.
This year’s sudden, unexpected need for cloud capabilities has helped to shift very important learning to the forefront: Privacy and security are not corners that you can cut. To maintain compliance — and to prevent very serious issues later on — protecting data must be a top priority before, during, and after cloud migration.