A few months ago, I wrote a post about Cloud Security. But what about privacy? Or are they the same thing?
When I think about privacy, I think about personal information stored in the cloud. If I’m a merchant, I probably have my customers’ credit card information, home address and phone numbers. If I’m a health care provider, I might have a social security number or other national identification number, along with the person’s medical information. Most organizations store PII (personally identifiable information) in a database so they can better serve their customers. They also may store them in documents on file servers or in a content management system.
If you have PII stored in an on-premise system, you worry about insiders and those outside the organization. A disgruntled employee or other malicious insider could steal information and sell it to someone or just expose it to the world. This could be a contractor or consultant on temporary assignment. An outside hacker could bypass weak network or system security and steal PII with the intent to perpetrate fraud.
With the cloud, you also may need to worry about the cloud provider. There could be a malicious employee who sees an opportunity to steal valuable information. Or the cloud provider may expose your information through a lack of security or a mistake. The recent case of AT&T exposing customer data to iPad users comes to mind. Or how about if the PII is not encrypted when stored on the provider’s servers? Someone might want the identity of users of cloud services and the actual data stored in the cloud. So what can you do to help prevent this problems?
Loss Mitigation Strategies
I see 3 major areas of concern when it comes to personal information.
- Impersonating Identity – employing strong authentication schemes is a good way to ensure the identity of the user. Forcing users to pick strong passwords with a combination of upper & lower cases letters, numbers and symbols, makes it much harder to crack using brute force attack methods. Also using HTTPS and certificates encrypts the data stream between the user’s browser and the server.
- Tampering with Data – access control and authorization methods are beneficial to ensure that no one tampers with data in a system or in transit. This is the same process one should use with an on-premise system, although in most cases you don’t have control over the transport network. The cloud provider and its employees should not have any access to your data. Only authorized people in your organization, such as HR, should have access to PII. Information in a database should be encrypted and digital signatures should be used to ensure that as data moves in and out of the system, it isn’t changed.
- Disclosing Information – access control is important to make sure that unauthorized people can’t steal information. Using a digital signature to authenticate a user prior to data or document access helps ensure user identity. Encrypting data and documents is also important. Encrypting data inside a database can help prevent its use if an unauthorized person gets it. Using digital rights management technologies on your documents gives you control even if they are stolen.
None of these techniques are perfect, but they will go a long way to protecting your information inside a cloud-based system. Ensuring system and user identity and encrypting information are two of the simplest ways to keep your data secure. Make sure your cloud provider has adequate measures and can show you exactly how they accomplish them. If they can’t satisfy your needs, you need to employ your own additional measures to meet your requirements.
Photo credit Brad & Ying