The California Consumer Privacy Act of 2018 (CCPA) was approved by the California State Governor on June 28, 2018, and goes into effect on January 1, 2020. The CCPA law sets new leading-edge standards in data privacy, not only for the State of California, but also for the rest of the United States.
A very large percentage of mid-sized and large enterprises do business in the State of California. They will have to take concrete steps to align their cloud security with the requirements of the pending legislation. For most, this will be a huge administrative and software development burden. Many businesses will absolutely not be ready by January 1, 2020, to support the compliance of their cloud infrastructure with the CCPA.
Much of the data you keep in your clouds today likely includes personally identifiable information (PII) which is highly regulated under the CCPA. PII as defined under CCPA is very broad and includes real name, alias, postal address, account name, social security number, driver’s license number, passport number, and other similar identifiers. PII specifically includes many other categories of data such as biometrics (specifically including DNA data), internet search and browse data (anything used for digital marketing), geolocation data, employment information, and much more. The CCPA definition of PII even addresses “probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
The rapid move to the cloud has brought new challenges to protect PII data which must be addressed to meet the CCPA. It is incumbent on organizations that wish to ensure that their cloud computing is CCPA compliant to select the new technology sets that provide the protections they need.
Data protection, of course, is your get-out-of-jail-free card. The CCPA emphasizes data protection rights as critically important. Encryption stands front and center as a protective measure to be used by any business. Consider that any “consumer whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” The encryption of all of your cloud data allows you the essential protections to maintain compliance with CCPA, and minimize or entirely eliminate your liability in the event of a data breach.
In order to adequately protect personal information (PII) in the cloud the most essential capability is visibility. You must know what kinds of sensitive data exist in your sanctioned clouds. Sanctioned clouds contain data in applications which are supported by your business and information technology teams. Perhaps more important, is to understand which unsanctioned clouds are in use and which might contain PII and sensitive data. These may be your greatest liability in meeting the CCPA. You must be aware of them, understand the liability, and then decisively shut down those that run afoul of your corporate policy.
Enterprises also need the ability to monitor and control who has access to what kinds of PII/sensitive data. You need the ability to block unauthorized individuals from accessing or downloading sensitive data while at all times monitoring everyone’s access to PII and sensitive data. Data loss prevention (DLP) can help automate the application of encryption as data moves through your clouds and supply chain ecosystem. Digital rights management (DRM) can apply the necessary protection to the data, such that if it moves out of your organization, or your control, that you can still secure the data.
As with any compliance law, the collection of audit and log data is necessary to support compliance assessment and related. This collection of data is also extremely helpful for meeting the needs of other compliance and/or data privacy laws. Your must know who accessed your sensitive cloud data, when they did so, and specifically what data elements they accessed.
We must also recognize that the enterprise has become more porous. Cloud, mobile, and on-premise allow a greater probability that the credentials of your authorized users may be stolen or accesses. Even a small misconfiguration in your clouds may accidentally expose authentication data. Once credentials are compromised, you need the behavioral controls that will help identify both malign behavior and anomalous behavior, even through authorized user credentials.
CASB is a simple but elegant solution to bring in the technology sets to support your CCPA compliance. CASB presents an integrated portfolio of technologies that directly address the top cloud threats. CASB can align your cybersecurity defense with the CCPA as it brings important and critical features for cloud threats and data protection.
CASB technologies such as data loss prevention (DLP), native device management, UEBA, adaptive access control, secure offline data access, automated PII anonymization, and digital rights management can also provide the protection your data will need to stay secure. CASB can shorten the path to addressing cloud threats, directly address the requirements of CCPA, and strengthen and enhance your cloud security strategy.