The scalability, flexibility, easy access, and cost savings of the cloud have made it easier than ever for organizations to store, access, and analyze their customer data. However, regulations like the General Data Protection Regulation (GDPR) place significant demands around how and where data can be accessed and used. Consequently, global organizations that are processing data in the cloud often struggle to achieve data security and regulatory compliance.
In fact, when Google was fined €50 million in France for violating GDPR, much of what the French Data Protection Authority (CNIL) focused on was how the company was processing personal data. Google was not fully disclosing to its Android app customers how their data was being collected and processed for personal advertisements across its services.
Enabling Actionable Data With the Cloud
Cloud data analytics are essential to maintaining a competitive edge; as such, it is incredibly important for data stored in the cloud to be actionable. Actionable data allows organizations to keep internal processes efficient, easily identify customer needs, and tailor their offerings to evolving demands. The problem is that making data accessible and actionable can entail creating vulnerabilities. The traditional ways of securing data, including agents and firewalls, are not effective for securing data that has gone beyond the corporate perimeter. Storing and analyzing data in the cloud is a fundamentally different way of conducting business and requires a fundamentally different approach to cybersecurity. Consequently, many organizations are struggling to store and process data in the cloud while simultaneously maintaining the correct levels of security and regulatory compliance.
The Challenge: Data Sovereignty & Regulations
Data sovereignty laws state that data is subject to the laws of the nation within which it is collected. These laws can create roadblocks for unprepared organizations that are analyzing data in the cloud, a frontier that is designed to make data available anywhere and everywhere. In other words, data regulations such as GDPR, which protect the personal information of citizens of select countries, create headaches for organizations when their users try to store or process regulated data outside of the country of its origin.
Outside of the aforementioned data sovereignty issues, regulations place a number of other demands on organizations, as well. While security goes beyond rules and regulations, they are an important place to start – particularly for those looking to avoid fines.
Why Traditional Security Approaches Don’t Work
As noted previously, the traditional ways of securing data, including agents and firewalls, are rendered insufficient once organizations begin analyzing data in the cloud.
- Agents are only effective when they are deployed on all of the devices used by employees and partners to access corporate data. These tools grant comprehensive visibility and control over the devices on which they are installed. While this is fine for corporate assets, employees typically resist such installations on their personal devices for fear of having their personal data and web traffic monitored by their employers. Since 85% of organizations now embrace BYOD, this is not an adequate solution for maintaining data security in modern IT environments.
- Firewalls are on-prem tools that are no longer useful for protecting data in cloud environments. It’s impossible to put a firewall around Office 365 or Salesforce, or to use one to secure the highly heterogeneous mix of managed and BYO devices that access data outside of corporate headquarters and around the world.
- Encryption (or pseudonymization, as defined by GDPR) helps secure data at rest in cloud applications – particularly when said apps physically store data in foreign nations that are deemed unsafe by regulations’ data sovereignty requirements. Unfortunately, native encryption functionality, such as what is provided by apps like Salesforce, is not truly secure. This is because these apps hold both the encrypted data and the encryption keys. Consequently, everything that a malicious party needs in order to access the decrypted data is stored in the same location. Additionally, this means that native app encryption does not protect data that is physically stored in unsafe locations, leading to noncompliance with regulations like GDPR.
None of these tools are adequate options for securing data processing in the cloud. Organizations that can't secure cloud apps, personal devices, and all off-premises activity are vulnerable from a security perspective and risk noncompliance with regulations. An alternative to these solutions is to block all access from remote or personal devices and to force all users to leverage a VPN; however, fewer and fewer companies are using this tactic because it impedes user efficiency.
Achieving Actionability AND Security
Fortunately, there are solutions that allow companies to achieve security and compliance while they leverage their vast stores of data in the cloud. The following capabilities will enable any organization to process cloud data effectively and securely.
- Contextual access control can allow and block data access based on a user’s geographic location, job function, device type, and other variables, giving companies highly granular control over their data.
- API integrations with enterprise cloud applications allow organizations to detect, manage, and delete sensitive data patterns at rest within the cloud.
- As mentioned above, cloud encryption can protect corporate information and satisfy the data sovereignty requirements of regulations like GDPR. However, this is not necessarily the case if the encryption key is stored within the cloud app that houses the encrypted data – as is the case with most apps’ native encryption tools. Fortunately, third-party solutions that provide full-strength cloud encryption protect both structured and unstructured data at rest and allow companies to retain control over their own encryption keys. This type of encryption is the only way to enable secure data processing in the cloud that satisfies data sovereignty demands.
- An organization must have full visibility and monitoring capabilities across its entire cloud footprint, which is important from both security and compliance perspectives. This is because even authorized users can represent a threat to data, and because users accessing data outside of a specific region can violate data sovereignty laws. In addition to comprehensive logging and reporting, this entails the use of user and entity behavior analytics (UEBA). This capability can detect suspicious user behavior in real time and enable automated responses such as alerting IT or enforcing step-up multi-factor authentication.
Organizations looking to achieve data security and compliance without restricting their ability to benefit from data-driven insights need to ensure that the proper security processes, policies, and tools are in place. Trying to extend traditional, on-premises solutions and strategies to the cloud is simply not an option. Organizations that attempt this will quickly find themselves outside of compliance with data privacy laws and, in the case of GDPR, facing fines that amount to 4% of their revenue.
While it may appear as though regulatory frameworks are a hindrance for those that are looking to process their data in the cloud, the fact remains that reaching compliance is a solid starting point for protecting data, respecting the individuals whose information is being processed, and demonstrating the qualities of a trustworthy, socially responsible, and forward-thinking organization.